Safeguarding the integrity of financial systems and protecting against fraud and errors are paramount concerns for any business. One way to address both of those threats is a concept called segregation of duties — a personnel tactic that promotes transparency and accountability throughout these systems.
This article explores that concept, unpacking what makes it a critical component of any robust auditing process.
What Does Segregation of Duties Mean?
Segregation of duties (SoD) is just what the name implies: you divide certain key duties among several people, to reduce the chance of fraud or errors. Put another way, segregation of duties assures that no single person has so much power that he or she could commit fraud or cause material errors without others noticing.
What is the relationship between segregation of duties and internal controls?
Segregation of duties is a fundamental element of internal controls. The underlying principle is that no one person or group of employees should be able to commit and conceal errors or fraud in their day-to-day jobs. Various internal controls allow you to achieve that. For example:
- Audit trails. Audit trails enable auditors to reconstruct the flow of transactions from their origin to their presence in an updated audit file. A robust audit trail should have details about who began the transaction, timestamp, date of entry, entry type, the data fields contained, and the files the transaction affected.
- Transaction logs. Organizations should maintain manual or automated systems or application transaction logs. These logs record all processed system commands or application transactions, contributing to accountability.
- Supervisors. Supervisors review the work of employees, and play a critical role in managing unusual transactions — transactions that might be fraudulent, or simply unusual for other, legitimate reasons. Supervisors assure that exceptions are properly and promptly addressed.
- Independent review. Having one employee review another’s work helps to identify errors and irregularities, particularly in financial statements.
These internal controls collectively strengthen the segregation of duties, reducing the risk of errors and unauthorized activities.
Common Examples of Segregation of Duties
There are also numerous specific job duties that should be kept separate. For example, different individuals should:
- Handle receivables and approve them
- Record transactions and reconcile the accounting records
- Approve the purchase of goods or services and have custody of checks
- Set credit limits and release credit holds
- Initiate a purchase order and approve it
- Approve the purchase of goods or services and reconcile the monthly financial reports
- Reconcile bank statements and approve vendor payments
- Deposit cash and reconcile bank statements
- Manage buyer setup and approve requisitions
- Open the mail and prepare a list of checks received and make the deposit
- Manage buyer setup and approve purchase orders
- Enter a journal and approve journal entries
- Make payments to vendors and reconcile bank statements
- Approve the purchase of goods or services and have custody of checks
How Does Segregation of Duties Fit With Auditing?
The main purpose of SoD is to disperse responsibility for critical financial, security, and operational processes among multiple people, so that no single person has enough power to commit fraud or some other transgression.
SoD is well established in financial accounting systems. It’s also gaining importance in IT departments — especially in relation to compliance with the Sarbanes-Oxley Act, which requires internal and external audits to protect investors from fraudulent financial reporting. Modern SOX audits will now routinely check to see whether your SoD has been implemented wisely, or whether any duties conflict so much that they pose a significant threat to the integrity of your financial reporting.
Why Do You Need Segregation of Duties Controls?
Generally, organizations should structure their tasks so that one employee’s work is separate from, or acts as a safeguard for, another employee’s work. This arrangement lowers the chances of unnoticed mistakes and restricts the opportunities for someone to misuse assets or hide deliberate inaccuracies in the company’s financial records. Essentially, SoD mitigates the risk of fraud by making it harder for an individual to conceal errors by himself.
Enforcing segregation of duties is also a crucial control element to support an organization’s risk management strategy. Although there are no specific SoD requirements outlined in internal control audit standards or accounting dictums, maintaining a system of effective internal controls necessitates the appropriate segregation of duties. Effective internal controls require a division of responsibilities among individuals who handle assets and those who perform control activities or accounting procedures.
Major Functions of Segregation of Duties
Under the concept of SoD, business-critical duties can be categorized into four types of functions:
- Authorization
- Custody
- Record keeping
- Reconciliation
In a perfect system, no one person should handle more than one type of function.
Levels of Segregation of Duties
Organizations should apply proper SoD by requiring segregation of duties between individuals or groups of individuals. There are several different levels of segregation of duties:
- SOD by individuals (individual-level SOD). This is the traditional and most basic level of segregation. In this case, SoD is achieved by having different people perform different duties. For example, a manager authorizes a worker to make a payment.
- SOD by functions or organizational units (unit-level SOD). At this level, different business departments perform the segregated duties. For example, the procurement team might source new vendors, while the accounting team approves payment to those vendors.
- SOD by companies (company-level SOD). At this level, different legal entities are required to perform operations. For example, the controlling company might have to authorize investments made by a subsidiary.
Prepare for Your Next Audit with Help from ZenGRC
As SoD is internal control, you should view it within the frame of your risk management activities. Thoroughly analyze business processes and make choices about detecting and resolving potential conflicts. If any conflicts remain, put compensating controls in place to manage the associated risks appropriately. You must also have a clear understanding of the individuals involved, their roles, and any potential conflicts.
That’s a lot of work. Luckily, you can use ZenGRC to set up an effective audit management system and be prepared for your next audit. Here’s how it works:
- Automated relationship building. ZenGRC automatically establishes connections and assigns tasks as you set up your program, create audits, or identify findings. This simplifies the process of organizing and managing your audit-related work.
- Operational dashboards. ZenGRC’s operational dashboards provide full visibility into the progress of tasks such as collecting audit evidence and assessing the effectiveness of controls. This transparency helps you stay on top of compliance efforts and explains your compliance audit status to stakeholders.
- Real-time risk and compliance insights. ZenGRC provides a unified, real-time view of your organization’s risk and compliance landscape. This invaluable perspective empowers you to make informed decisions that enhance your company’s security and build stakeholder trust.
Ready to see it in action? Schedule a demo today to discover how ZenGRC can work for you.