Segregation of Duties (SOD) is fundamental to maintaining internal controls and practicing good risk management within an organization. Over the lifespan of an asset or transaction, the key principle of SOD is that no individual is completely responsible for authorization, custody and record keeping, as well as reconciliations.
Assignment of duties should be clear and documented. They should also be demonstrable to an outside party – this can take the form of physical signoffs or audit trails. SOD can assist with efficiency by splitting the workload and can serve as a check-and-balance for either intentional or unintentional errors.
An office manager in Missouri had access to the company’s accounting software. From 2011-2018, she embezzled about $420,000 from her employer, an industrial cleaning company. The office manager issued unauthorized checks and forged one of the owner’s signatures. These checks were deposited into her personal bank account for her own spending and she even loaned some of this stolen money to a friend. She also used the company credit cards for personal expenses, like airplane tickets and clothing. To cover her scheme, she altered the company’s internal financial records before sending them to the company’s contract accountants.
An accountant at a small, family-owned company in South Carolina conducted multiple fraud schemes. From 2016-2018 the accountant used the company’s credit card for personal and family expenses, overpaid himself through payroll and authorized bank transfers to pay off his personal debt. The accountant manipulated the accounting records and general ledger entries to hide the thefts. Overall, more than $400,000 was stolen, and had it continued longer, the company would have faced closure. Additionally, the scheme caused duress on the owners’ personal financial accounts, having to take a loan on their home to cover the losses. Worst of all, the owners of the company considered the accountant to be a friend.
In the case of the South Carolina fraudster, the fraud continued until the owner was notified about the company credit card balances being past due. In this case, it took an outside party to raise a red flag.
In both aforementioned cases, segregation of duties could have mitigated the opportunity for the fraud schemes or could have accelerated its discovery. In the first case, if the office manager did not have access to the company’s accounting software, she would not have had the ability to authorize and prepare checks, nor would she have full access to alter the financial records. In the second case, if the accountant did not have access to alter payroll functions without higher level approval, he would not have had access to increase his own salary. And since there was a lack of oversight with bank transfers, credit card purchases and journal entries, he could cover the fraud from start to finish.
The trust that the family-owned business had in their accountant created the opportunity for him to steal. Yes, it’s good for a company to have trust in its employees, but it’s even better to have the proper internal controls in place when trust is not enough.
Although SOD can fail when collusion occurs, at least it provides safeguards against short and long-term fraud that could cause tremendous financial damage to an organization, its owners and potential damage to the reputation of all concerned.
One of the higher risk areas for fraud or theft is in cash controls. Receipt, deposit, recording and reconciling of cash should be segregated as much as possible. In small organizations where segregation is difficult, increased management oversight is suggested. The highest levels of management or members of the Board of Directors can provide oversight if necessary. And cash that cannot be deposited daily should be kept secure with limited personnel access.
Other examples for small organizations can be outsourcing accounting or payroll, or if segregation within a department is not feasible, consider whether segregation by department can be accomplished. Consider rotating some job duties to identify potential discrepancies.
SOD is a type of insurance for your organization. It serves as a tool for the prevention and detection of fraud risks. These enhancements to your day-to-day and month-end processes can mean the difference between huge and minimal, when a control stops a fraud.
The chart below offers an example of control best practices for segregating important financial tasks:
While no one can completely eliminate the opportunity for fraud or expensive accounting errors, by practicing segregation of duties, an organization takes a proactive step in mitigating the potential for fraud. SOD can also help you find flaws in the system sooner, rather than later.
For additional considerations, please reach out to our Assurance Services Team at Mahoney to be of help to you in any way.