Segregation of duties is a commonly used and widely accepted internal control practice. It is the process of taking shared responsibilities of a key process and dispersing the critical functions of that process to more than one person or department. Implemented effectively, this control reduces the risk that any employee will be able to carry out and conceal errors or fraud in the normal course of his/her duties without detection. In general, there are four categories of duties or responsibilities that are examined when segregation of duties is discussed:
1.) Custody of assets.
2.) Authorization or approval of transactions affecting those assets.
3.) Recording or reporting of related transactions.
4.) Reconciling existing assets to recorded amount.
Ideally employees performing any one of the above functions would not also perform any of the other three functions.
Examples of proper segregation of duties include:
1.) The person who requisitions the purchase of goods or services should not be the person who approves the purchase.
2.) The person who can set up a vendor should not be the person to process a payment to the vendor.
3.) The person who hires and inputs new hire data should not be the person who issues payroll.
When segregation of duties is not deemed practical due to staffing constraints or cost, compensating controls can be implemented. Compensating controls are also known as alternative controls. They are meant to correct undesirable outcomes that have already occurred or to reduce risk to an acceptable level when other controls have failed or are not cost effective. Compensating controls should meet the intent of the original control but go above and beyond the original control in order to provide a similar level of assurance.
An example of a compensating control would be in a situation where the same employee accepting cash payments is recording those payments. This situation has improper segregation of duties since the person had custody of the assets and is also recording the related transaction. To mitigate risk, a compensating control could be implemented. The compensating control could be to have a second employee perform a reconciliation procedure whereby (s)he reviews the cash against the recorded transactions.
Remember, compensating controls are not as desirable as segregation of duties since they typically occur after a transaction is completed. Therefore, compensating controls should be a last resort attempt of an organization- especially if the staffing exists to allow for segregation of duties.
When segregation of duties is set up properly, it can help you determine strengths, opportunities, or gaps that may require additional training or staffing. You don’t want one person holding all the cards- this opens your organization up to fraud and error risks.
Now it’s time for you to take a look at your organization. Do you have separation between critical processes?
Thomas is a member of Cerini & Associates’ audit staff where he works with our education and school district clients. He conducts claims audits at various school districts on Long Island.