Segregation of Duties

Segregation of duties is a basic, key internal control and one of the most difficult to achieve. It is used to ensure that errors or irregularities are prevented or detected on a timely basis by employees in the normal course of business. Segregation of duties provides two benefits; first, a deliberate fraud is more difficult because it requires collusion of two or more persons, and second, it is much more likely that innocent errors will be found. At the most basic level, it means that no single individual should have control over two or more phases of a transaction or operation. Management should assign responsibilities to ensure a crosscheck of duties.

If a single person can carry out and conceal errors and/or irregularities in the course of performing their day-to-day activities they have generally been assigned or allowed access to incompatible duties or responsibilities . Some examples of incompatible duties are:

Authorizing a transaction, receiving and maintaining custody of the asset that resulted from the transaction.
Receiving checks (payment on account) and approving write-offs.
Depositing cash and reconciling bank statements.
Approving time cards and having custody of pay checks.
Having unlimited access to assets, accounting records and computer terminals and programs. For instance having access and using checks as the source documents to post to accounting records rather than using a check log or receipts.

 

There are four general categories of duties or responsibilities which are examined when segregation of duties are discussed: authorization, custody, record keeping and reconciliation. In an ideal system, different employees would perform each of these four major functions. In other words, no one person should have control of two or more of these responsibilities. The more negotiable the asset, the greater the need for proper segregation of duties - especially when dealing with cash, negotiable checks and inventories.

In those instances where duties cannot be fully segregated, mitigating or compensating controls must be established. Mitigating or compensating controls are additional procedures designed to reduce the risk of errors or irregularities. For instance, if the record keeper also performs a reconciliation process a detailed review of the reconciliation could be performed and documented by a supervisor to provide additional control over the assignment of incompatible functions. Segregation of duties is more difficult to achieve in a centralized, computerized environment. Compensating controls in that arena include passwords, inquiry only access, logs, dual authorization requirements, and documented reviews of input/output.

Some special aspects of segregation of duties apply to IT functions themselves. There should be segregation between systems development and operations, operations and data control, and data base administration and system development.