Segregation of duties (SODs) is an important concept to internal control frameworks, financial reporting and regulatory compliance, including the Sarbanes-Oxley Act (SOX). It is a component of an effective control environment. The overall effectiveness of management’s internal controls depends on SoDs to a large extent. For effective internal controls, there needs to be an adequate division of responsibilities.
The basic idea underlying SoDs is that no employee or group of employees should be in a position both to perpetrate and conceal errors for fraud in the normal course of their duties. In general, the principal incompatible duties to be segregated are:
Traditional systems of internal control rely on assigning certain responsibilities to different individuals or segregating incompatible functions. The general premise of SoDs is to prevent one person from having both access to assets and responsibility for maintaining the accountability of those assets. It’s important to keep in mind so that SoDs does not prevent collusion.
Why is SoDs important?
SoDs help minimize the risk and possibility that an organization does not achieve its goals, provide reliable financial data, and/or comply with laws and defined policies. Administrative or other recording errors may not be detected timely since an independent/objective review of transactions may not be occurring or inappropriate, or unauthorized (fraudulent) transactions are permitted to occur since once individual controls a major portion of the revenue, expenditure, payroll or other functions.
SOX and other regulatory issues are forcing companies to increase their awareness and accountability of their employee’s actions within the company. Recent privacy laws and prosecution of security violations are bringing new awareness to monitoring and controlling security and access to data within organizations.
What is the risk?
Inadequate segregations of duties could make fraud prevention, detection and investigation difficult, which could possibly lead to misstated financial statements, regulatory punishments, damage to the company’s reputation and reduced investor trust.
There is also the risk of misappropriation of assets, which involves third parties or employees in an organization who abuse their position to steal from it through fraudulent activity.
If internal controls cannot be relied upon, this creates the case to increase substantive testing by internal audit and the external auditor, translating into additional costs to the organization. More serious findings could lead to an evaluation by the external auditor that the company has a significant deficiency or material weakness.
Lastly, if SoDs are not present, it raises the question of whether the information and evidence obtained is reliable, free from errors or may suggest that a material misstatement exists. As a result, the auditor may increase sample sizes, lower substantive testing threshold or increase audit procedures overall.
SoDs should be commensurate with the size and complexity and overall risk of a company’s operations and financial reporting environment. It is important to always first consider the risks to the organization. Businesses are continuing to increase reliance on IT, further making SoDs important in efforts to reduce fraud and increase operational effectiveness. Compensating/mitigating controls may exist to mitigate the risks resulting from a lack of appropriate segregation of duties. These controls include audit trails, reconciliation, supervisory reviews and transaction logs.
You can read more on this topic in our Segregation of Duties and Logical Access Guide and by exploring these related risk management tools on KnowledgeLeader: