Which duties should be segregated?

Duty segregation happens between incompatible duties, which are duties where there’s an obvious conflict of interest. For example, it’s not advisable that those who have access to assets be the same people who are also responsible for them.

The general duties involved in duty separation include:

• Authorization or approval of transactions. A manager or someone with the delegated authority approves certain transactions. Using inventory as an example, someone creates a requisition for the goods, and a manager authorizes the purchase and the budget.
• Custody of assets. Assets mean cash, as well as goods. In this case, one worker orders the goods, and another worker marks the items as received in the company’s accounting system. This way, the person who orders the items can’t pad the order with more than needed and take some for personal use at the company’s expense.
• Reviewing and reconciliation transactions. This is where that extra layer of financial auditing comes in for the inventory. The worker who records the items as received has their work reviewed and reconciled for accuracy and compliance.

Some specific areas within a business that need at least two people include:

• Cash and banking, such as those who receive cash and have ready access to the safe key
• Managing building projects, where staff must be separated into those who enter project financials and those who manage or reconcile those transactions
• Payroll duties, such as having pay increased due to appointments or the process of filing and authorizing claims
• Travel preauthorization, expense claims and reconciliations

Separation of duties is applicable to almost every function within an organization. However, IT and accounting are the areas with the heaviest risk.

Duty segregation advantages

Some advantages around this type of internal control include:

Reducing and preventing irregularities

SoD is both an internal control and a security principle. The idea of disseminating key tasks among separate users reduces fraud incidences, as well as irregularities.

Ensuring priority issues are identified and addressed

This is especially important with companies that are subject to regulatory compliance. When internal controls are in place, not only are you able to identify them quickly, but you can address them long before the regulatory authority finds out about it.

Protecting employees

When one person is responsible for everything, it can be overwhelming. SoD protects employees by providing appropriate checks and balances to ensure that one person doesn’t bear the responsibility should there be an irregularity.

Duty segregation disadvantages

There are also a few issues with the process that you should be aware of:

It is less efficient and more time-consuming

Duty segregation can be less efficient due to the very nature of the framework. Having to rely on different people to execute pieces of the process can lead to bottlenecks. If one person is overwhelmed or has an emergency, it can hold up the workflow.

It can be prone to accounting errors

This risk of accounting errors comes from having inadequate separation in place. The larger the organization, the more complex it is. This means that the SoD procedure must properly fit the organization’s complexity in a way that compensates and mitigates errors.

Another way it can lead to errors is if the duty segregation increases duplication. This control is meant to have one person handle a piece of a process. It’s not meant for the entire process or individual pieces to be completed by more than one person.

What to Consider When Implementing SoD

When it comes to implementation, the SoD matrix is an invaluable tool. This is a computer-generated roster that comes from the organization’s enterprise resource planning system. It clearly defines all the tasks, roles and responsibilities, and it can even show you which tasks are at elevated risk of collision, helping you avoid potential financial loss.

In addition to having this matrix, the professional IT governance organization ISACA recommends assessing risk by coming up with a list of every risk scenario and possible responses. This helps your organization create the necessary processes as boundaries, as you form proper SoD governance policies.

This provides the framework for exercising IT access control, where the user’s profile dictates the tasks they can and can’t perform. Implementing SoD in a way that provides a deep benefit to your organization requires risk analysis and should be a part of your risk management activities.

How can segregation of duties be improved?

Even if you’re confident that there’s minimal risk of fraud or errors within your organization, you shouldn’t take anything for granted. Keep in mind that your ability to protect your business can always be improved.

A few ways you can keep on top of your internal controls are:

• Monitoring user access rights. This isn’t just the task of the IT department. Managers need to ensure that employees who aren’t supposed to have access to certain functions don’t. Once they have the right access, take a look at the user log data monthly, as well as the trends and variances that don’t match the expectations of the role. Remember when job functions change, user access rights need to be reviewed and adjusted.
• Reviewing financial reports. Although SoD can be applied to any department, it always comes down to finance becauseit’s all about proper accounting. Monitor the necessary KPIs and month-to-month or year-to-year variance reports. Any trends that don’t conform to standards need to be investigated. As a manager, you understand that your company’s resources are limited. The faster you can detect errors and inconsistencies that could be a sign of fraud, the more money and time you’ll save for everyone.

Best practices for duty separation

In addition to ISACA’s implementation framework and other improvement steps, there are a few other best practices to keep in mind, so you can stay in control of your security and reduce costs.

Know your business processes

When you know your business processes, you’ll be able to spot gaps that other bad actors can exploit by accident or on purpose.

Have a skilled consultant audit your business

While you know your business inside and out, having another outside specialist look at your processes provides a useful perspective. The consultant can find more vulnerabilities and provide you with quick solutions.

Practice granting less privilege to your system

Certain users will stress that they need full access to do their job. However, very few people need privileged access. With that in mind, practice a policy of granting the least privilege possible. If a user doesn’t use all their access, remove it and grant them what’s necessary. If they really do need full access, monitor and track their activity.

Segregation of duties FAQs

Does SOX require SoD?

Sarbanes-Oxley (SOX) requires publicly traded companies to document and certify their financial controls. As far as segregation of duties is concerned, both the CEO and CFO must sign off on the document stating that the controls are in place and compliant. If regulators find that document willfully fraudulent, both executives could face prison time.

Can SoD affect business insurance?

Regular business insurance policies don’t cover crimes, such as fraud. However, separate commercial crime policies, also known as special multi-peril insurance, protect against those types of losses. Companies need to show that they’re a good risk for underwriters. This includes showing that there’s an active financial internal control mechanism, such as SoD. If not, the organization may not be eligible for coverage.

Who has the final responsibility for internal controls?

Ultimately, managers bear the responsibility for the internal controls. Whenever anyone at the staff level sees a problem, they bring it to management, who is responsible for correcting the issue.