Macy’s $154M Lesson: Why Every Company Needs Separation of Duties

Last Updated: April 3, 2025

In early 2025, a scandal broke that sent shockwaves through the financial world. Macy’s, one of America’s most iconic retailers, revealed that an internal accounting fraud had distorted its financial results for years (New York Post). At the heart of the scandal was a single employee who allegedly concealed up to $154 million in delivery expenses over three years—resulting in inflated profits and executive bonuses that should never have been paid. The consequences were swift and severe, from plummeting stock prices to clawbacks of executive compensation and a flood of reputational fallout.

But beyond the headline numbers and boardroom drama lies a deeper, more systemic failure: a breakdown in governance. This wasn’t just a rogue employee gone unchecked. This was a textbook case of what happens when the principle of Separation of Duty (SoD) is ignored.

What Went Wrong at Macy’s

The fraud was relatively simple in execution. According to reports, an employee manipulated accounting entries to misclassify delivery costs—a tactic that made operational expenses appear lower than they were. This, in turn, inflated the company’s profits and triggered executive bonuses tied to performance metrics. The scheme lasted for nearly three years, evading internal detection until it was flagged and investigated by the company’s auditors.

While the dollar value of the concealed expenses is troubling enough, the true cost is far greater. Macy’s has now committed to restating several years of financial results, has launched internal investigations, and is facing scrutiny from regulators and investors alike. The reputational damage is harder to quantify but perhaps even more severe. Investors trust financial statements to be accurate; when that trust is broken, the consequences ripple far beyond Wall Street.

The incident also raises uncomfortable questions about Macy’s internal controls. How could a single employee execute such a scheme for so long without detection? Where were the controls designed to prevent this sort of activity? And perhaps most critically: why weren’t duties adequately separated to ensure that no one individual had end-to-end control over sensitive financial processes?

Culture and Control: Two Sides of the Same Coin

Fraud rarely occurs in a vacuum. In many cases, it thrives in environments where organizational culture implicitly permits or even encourages unethical behavior. Culture is set at the top, and when leadership emphasizes short-term gains, aggressive growth, or performance targets above all else, employees may feel pressured to manipulate outcomes to meet expectations.

Consider the infamous case of Wells Fargo, where thousands of employees were pressured to meet unrealistic sales quotas and opened millions of fake customer accounts to meet performance targets. The root cause? A toxic culture driven by unattainable goals and a lack of accountability at the leadership level. Similarly, Boeing faced scrutiny after it was revealed that employees were discouraged from reporting defects in the 737 MAX program, highlighting how a culture of silence and fear endangers not only compliance but human lives.

Macy’s may not have had the same life-or-death stakes, but its scandal follows the same cultural pattern. Financial incentives tied to inflated metrics, combined with weak oversight, can tempt individuals to commit fraud or overlook red flags. And when risk management processes are siloed or superficial, the opportunity for misconduct expands.

Moreover, regulators are increasingly holding organizations accountable not just for the outcomes of risk management, but for the culture that drives them. Regulatory frameworks, such as those guided by the Financial Stability Board (FSB) and Basel Committee on Banking Supervision, emphasize that institutions must demonstrate that their risk culture and governance structures support effective risk management. This includes clearly defined roles, ethical leadership, and enforced Separation of Duty (SoD). A strong risk culture naturally reinforces SoD by fostering accountability and deterring risky behavior.

By dividing responsibilities among multiple people, SoD prevents any one individual from having unchecked control over a critical process.

Separation of Duty: A Governance Imperative

Separation of Duty (SoD) is not just a best practice—it’s a foundational principle of internal control. By dividing responsibilities among multiple people, SoD prevents any one individual from having unchecked control over a critical process. For example, the person who approves a purchase should not be the same person who makes the payment or records the transaction.

At Macy’s, the lack of SoD appears to have allowed one employee to manipulate records without oversight. This failure enabled the fraud and prolonged its duration. Proper SoD would have created a system of checks and balances where multiple parties were involved, reducing the likelihood of fraud going undetected.

Learn more about Separation of Duty in LogicManager’s practical guide: Governance 101: Why Separation of Duties is Non-Negotiable

Lessons from the Three Lines of Defense Model

The effectiveness of Separation of Duty is supported by frameworks like the Three Lines of Defense (3LOD) model, which formalizes responsibility for internal controls across the organization.

  • First Line: Operational management, including those responsible for executing and documenting controls, should ensure SoD is built into day-to-day activities. 
  • Second Line: Risk and compliance functions are responsible for designing, monitoring, and improving SoD enforcement across business processes. 
  • Third Line: Internal audit independently tests and validates that SoD and related controls are effective, reporting to senior leadership and the board. 

In theory, the Three Lines of Defense (3LOD) model should have prevented the fraud. There was a clear breakdown of Separation of Duty within Accounting and Operations. Roles and responsibilities were not understood in enough detail to properly implement SoD—one individual had too much oversight across multiple processes, leaving an approval workflow unchecked. The second line of defense should have identified this lack of SoD, especially given that accounting and operations are critical functions vital to the organization’s success. The third line of defense serves as a final safety net to assess and validate the effectiveness of the first two lines. Because the fraud persisted for such a long period, it indicates that the 3LOD model was not functioning effectively—and that Macy’s corporate culture may not fully support or enforce its stated governance values.

The Ripple Effects of Negligence

The fallout from governance failures rarely stays contained. Following Macy’s scandal, analysts and governance experts raised concerns about broader weaknesses in internal controls across the retail sector. Short-term stock declines for retailers like Kohl’s and Nordstrom were attributed by some commentators to shaken investor confidence in the accuracy of financial reporting.

While the U.S. Securities and Exchange Commission (SEC) did not formally announce an investigation tied to Macy’s, it has consistently emphasized the importance of strong Internal Control over Financial Reporting (ICFR). In past actions—such as its 2019 enforcement against four companies for ICFR failures—the SEC made clear that companies are expected to self-identify, disclose, and remediate control weaknesses (SEC press release). Macy’s case illustrates the broader risk that governance breakdowns pose to market trust and reinforces the need for companies to continuously maintain and test their control environments.

Practical Steps to Prevent a Macy’s-Level Breakdown

For risk professionals, Macy’s serves as a cautionary tale and a rallying cry. Here are some practical steps every organization should consider:

  1. Perform a Segregation of Duties Assessment: Regularly evaluate all key processes to ensure critical duties are appropriately divided. 
  2. Implement Automated Controls: Use technology to flag unusual transactions or unauthorized changes to financial data. 
  3. Reinforce 3LOD Responsibilities: Ensure that each line knows its role, has the resources to perform it, and is held accountable. 
  4. Promote a Culture of Integrity: Align performance incentives with ethical behavior, not just financial outcomes. 
  5. Test and Audit Regularly: Independent audits should go beyond checklists and explore deeper systemic vulnerabilities.

Conclusion: The Cost of Complacency

The Macy’s accounting scandal was not just a lapse in judgment; it was a systemic failure. It revealed cracks in the company’s internal control framework, exposed weaknesses in its governance culture, and ultimately reminded the business world that risk management is not optional.

Separation of Duty isn’t just about compliance. It’s about trust. It’s about protecting the integrity of financial reporting, the interests of shareholders, and the long-term sustainability of the organization. As the Macy’s case demonstrates, when these principles are ignored, the costs are high—and they’re paid in dollars, reputation, and lost confidence.

In a world where stakeholders demand transparency and accountability, organizations must treat governance not as a back-office formality but as a strategic imperative. Because the next Macy’s-level scandal could already be brewing somewhere—and it’s up to risk managers to stop it before it starts.