Segregation of Duties Best Practices
Segregation of Duties (SOD) is the separation of key processes that disperses critical functions to more than one person or department.[1] In short, it is ensuring that the custody, authorization, and record keeping functions of a process are performed by distinct and empowered departments or personnel. Segregation of duties is an important tool in preventing and detecting and correcting errors or fraud. Small companies and small business units sometimes find it difficult to implement SOD because of personnel constraints, cost implications, and lack of best practices guidance.
The difficulty of implementing SOD however, should not be used as an excuse to ignore or minimize the importance of having SOD in place because the lack thereof can be very consequential to the survival of a business. Take for example the $34 million embezzlement that happened at Koss Corp. due to lack of adequate segregation of duties.[2] Koss Corp.’s Vice President of Finance was able to have false journal entries entered, authorized, and posted to the official accounting records without any oversight.[3] The entries were made without any supporting documentation and went undetected because of the inadequacy of the company’s SOD.[4]
Segregation of Duties Considerations
Companies, irrespective of their size, should be proactive in their approach to SOD. CompVisory recommends the following considerations:
Review of Current Structure
The number of personnel and processes should be evaluated at the company wide and business unit levels, where appropriate, so that SOD consideration can be evaluated sufficiently. This endeavor should have the support of senior leadership, appointed an owner with sufficient competence and authority, and monitored for its effectiveness. Companies should consider the following processes at a minimum:
- System Administration
- Accounting system access control
- Cash collection and disbursement
Review of Current SOD Landscape
Companies should begin with evaluating their processes and resources (personnel & systems) and then perform a risk analysis to evaluate the following implications to the company:
- The likelihood of certain occurrence;
- The impact they could have on the company;
- The velocity/speed of the implications to the company; and
- The mitigating factors that their existing controls provide.
High risk items; for example, fraudulent or erroneous activities that could decimate the company should be given immediate attention. Often times the actual cost to a company that is subjected to a breach is much more than just the lost from the breach; for example, in the Koss Corp. case where $34 million was embezzled, the company was still held liable for the additional costs associated with law suits and fines. Companies would do well to consider these additional costs as well as reputational costs (brand deterioration) when assessing their risks.
Determining the Appropriate SOD Posture
Risks should be ranked and prioritized based on their rating, and corrective action plans, if needed, should be developed, implemented, and monitored to provide that the company is staying ahead of the implications of its risk universe. The exercise should be documented, revisited, and updated as appropriate. High and medium risk items should be treated as such.
SOD Low Hanging Fruits
Companies at a minimum should strive to ensure the following:
- No one in the organization is allowed access to unilaterally create and release a cash transaction;
- No one in the accounting department should have system administrator access; and
- No one should be able to unilaterally create and post journal entries.
[1] Anthony Ghosn, Segregation of Duties, AICPA, https://www.aicpa.org/InterestAreas/InformationTechnology/Resources/Auditing/InternalControl/Pages/value-strategy-through-segregation-of-duties.aspx
[2] United States Securities Exchange Commission v. Koss Corp. and Michael J. Koss, Civ. No. 2:11-cv-00991 (Cir. Ct. E.D. Mo. 2011) available at https://www.sec.gov/litigation/complaints/2011/comp22138.pdf
[3] Id. at ¶19
[4] Id. at ¶20