2021 began with the “Great Resignation,” an ongoing economic trend in which employees voluntarily resigned from their jobs in masses. A record number of 4.5 million employees quit their jobs in March 2022, according to the U.S. Department of Labor. This trend leaves companies with vacant job positions and staffing shortages, saddling the remaining employees with additional responsibilities. Companies experiencing shifting of employee responsibilities should evaluate segregation of duties (SOD) around key processes to maintain effective operations and execution of key controls and activities.
SOD is a fundamental element of internal controls and overall risk management and allocates key duties and functions of a specific process to multiple individuals to further reduce the risk of fraud and errors. There are four types of functions under the concept of segregation of duties:
Roles and responsibilities should be designed and established to prevent one person from handling more than one type of function for any process.
Potential risks to an organization with a lack of SOD include:
These risks can cause significant damage to an organization such as fraudulent payments, inaccurate financial statements, or reputational risks.
A strong SOD set up for functions under accounts payable might look like this:
The example above shows four different individuals involved in the accounts payable process. If the accounts payable clerk had access to the bank accounts to make payments, and the general ledger to record invoices and payments, there is a risk that the clerk could make a payment for a fraudulent invoice. If the accounts payable clerk needs access to the company’s bank account, a control requiring an appropriate independent and secondary individual to approve all payments from the bank accounts can be implemented to mitigate the risk.
Job responsibilities and system / bank access should also be reviewed periodically to ensure no employee performs more than one of these functions. If an employee does perform multiple functions, there is an increased risk of undetected errors and an opportunity to misappropriate assets or conceal misstatements.
If it is determined that an individual has been performing multiple functions within a key process, the organization should design and implement compensating controls to mitigate the potential risks until roles and responsibilities can be appropriately segregated. Examples of compensating controls can include analytical reviews, periodic reviews of audit trail for transactions recorded to the general ledger, or reviews of exception reports.
It is critical that functional areas such as information technology (IT) and accounting and finance evaluate SOD in their key processes regularly to address the risk of fraud and errors. To document and evaluate SOD, an internal policy and matrix should be created outlining roles and responsibilities within the organization and reviewed to identify potential conflicts. Companies should consider utilizing a SOD rule keeper within their enterprise resource planning (ERP) system or an external SOD tool to support SOD management. Access roles within key systems should be monitored and evaluated regularly.
For more information on this topic, or to learn how Baker Tilly risk advisory-specialized Value Architects™ can help, contact our team.