Segregation of Duties Best Practices

SOC 1 & SOC 2 Audits

Segregation of Duties Best Practices

Segregation of Duties (SOD) is the separation of key processes that disperses critical functions to more than one person or department.[1] In short, it is ensuring that the custody, authorization, and record keeping functions of a process are performed by distinct and empowered departments or personnel.  Segregation of duties is an important tool in preventing and detecting and correcting errors or fraud.  Small companies and small business units sometimes find it difficult to implement SOD because of personnel constraints, cost implications, and lack of best practices guidance.

The difficulty of implementing SOD however, should not be used as an excuse to ignore or minimize the importance of having SOD in place because the lack thereof can be very consequential to the survival of a business.  Take for example the $34 million embezzlement that happened at Koss Corp. due to lack of adequate segregation of duties.[2] Koss Corp.’s Vice President of Finance was able to have false journal entries entered, authorized, and posted to the official accounting records without any oversight.[3] The entries were made without any supporting documentation and went undetected because of the inadequacy of the company’s SOD.[4]

Segregation of Duties Considerations

Companies, irrespective of their size, should be proactive in their approach to SOD.  CompVisory recommends the following considerations:

Review of Current Structure 

The number of personnel and processes should be evaluated at the company wide and business unit levels, where appropriate, so that SOD consideration can be evaluated sufficiently.  This endeavor should have the support of senior leadership, appointed an owner with sufficient competence and authority, and monitored for its effectiveness.  Companies should consider the following processes at a minimum:

  • System Administration
  • Accounting system access control
  • Cash collection and disbursement
Review of Current SOD Landscape

Companies should begin with evaluating their processes and resources (personnel & systems) and then perform a risk analysis to evaluate the following implications to the company:

  1. The likelihood of certain occurrence;
  2. The impact they could have on the company;
  3. The velocity/speed of the implications to the company; and
  4. The mitigating factors that their existing controls provide.

High risk items; for example, fraudulent or erroneous activities that could decimate the company should be given immediate attention.  Often times the actual cost to a company that is subjected to a breach is much more than just the lost from the breach; for example, in the Koss Corp. case where $34 million was embezzled, the company was still held liable for the additional costs associated with law suits and fines.  Companies would do well to consider these additional costs as well as reputational costs (brand deterioration) when assessing their risks.

Determining the Appropriate SOD Posture

Risks should be ranked and prioritized based on their rating, and corrective action plans, if needed, should be developed, implemented, and monitored to provide that the company is staying ahead of the implications of its risk universe.  The exercise should be documented, revisited, and updated as appropriate.  High and medium risk items should be treated as such.

SOD Low Hanging Fruits

Companies at a minimum should strive to ensure the following:

  1. No one in the organization is allowed access to unilaterally create and release a cash transaction;
  2. No one in the accounting department should have system administrator access; and
  3. No one should be able to unilaterally create and post journal entries.

[1] Anthony Ghosn, Segregation of Duties, AICPA, https://www.aicpa.org/InterestAreas/InformationTechnology/Resources/Auditing/InternalControl/Pages/value-strategy-through-segregation-of-duties.aspx

[2] United States Securities Exchange Commission v. Koss Corp. and Michael J. Koss, Civ. No. 2:11-cv-00991 (Cir. Ct. E.D. Mo. 2011) available at https://www.sec.gov/litigation/complaints/2011/comp22138.pdf

[3] Id.  at ¶19

[4] Id. at ¶20

Written by 

Dean Brown is a seasoned business professional with 20 years of audit experience. Dean specializes in System and Organization Controls (SOC) audits, which he has been conducting as the principal auditor since 2014. Dean has also conducted numerous controls, IT, operations, compliance and forensic audits over the duration of his career. His experience involves financial, IT, SOC (SOC 1, SOC 2, SOC 3 and SOC for Cybersecurity), operations and compliance audits, examinations, review and consulting engagements. Dean is a subject matter expert in SSAE18/SOC 1, SOC 2 audits, ISO 27001, enterprise risk management, internal controls, information security management systems, and IT governance models. Dean began his career as an auditor at a Big 4 public accounting firm where he audited multiple fortune 500 companies. Later in his role as a lead auditor at a fortune 500 company he managed teams in the United States and Canada and was instrumental in the management and successful completion of a company-wide project that successfully transition the company to a new operating business model. Dean is responsible for crafting, communicating, and reinforcing CompVisory’s vision and mission, and empowering the CompVisory team with the guidance and resources necessary for their achievement.