duties

As CPAs, we toss out the phrase segregation of duties quite a bit. But what does it mean? More importantly, do our clients understand what it means or why having a segregation of duties is important? When we talk about having a segregation of duties, conceptually what we are trying to do is to break a transaction or operation down into four phases:

  1. Authorization
  2. Custody
  3. Recordkeeping
  4. Reconciliation

Then, we ask who is in charge of each phase. To understand the importance of having a segregation of duties, let’s look at a real-life example of a lack of segregation of duties.

Ed worked in a small but growing school district’s finance department for over 20 years. As the assistant controller, Ed was responsible for the school district’s payroll processing and had unrestricted access to the district’s financial accounting and payroll system. Ed also had the authority to transfer district funds.  During Ed’s tenure as assistant controller, the district went through several controllers and even had periods with no controller at all. As a result, there was little oversight of Ed. Over an eight-year period, it is estimated the Ed overpaid himself by $640,000 by simply inflating his semi-monthly net pay by amounts anywhere from $700 to $5,300. He would also post equivalent amounts to several different payroll-related benefit expenses. Ed made sure his year-to-date pay reflected his normal salary by lowering his cumulative earnings in the payroll system. Ed also violated the district’s record retention policies and destroyed some of the district’s payroll records. Ed’s fraud was discovered when the district received a request for salary and employment verification for Ed, and another employee noticed something unusual when checking Ed’s information in the payroll records.

Again, when we talk about having a segregation of duties conceptually, what we are trying to do is to break a transaction or operation down generally into the aforementioned four phases and ask who is in charge of each phase. So we are typically going to ask:

  1. who has authorization over the transaction or process (e.g., at the school district Ed had the authority to process each payroll cycle and also make changes to pay rates);
  2. who has custody or control over the asset or process (e.g., Ed had unrestricted access to the payroll system and the distribution of payroll);
  3. who is responsible for the recordkeeping related to the process (e.g., Ed had unrestricted access to the accounting and payroll system which made it possible for him to in some cases adjust records and in other cases destroy records to conceal his fraud); and
  4. who is over the reconciliation of the transaction or process (e.g., Ed was responsible for verifying each payroll cycle and making sure it was properly recorded).

Generally, if one individual controls more than one of the four phases of a transaction or operation, we have a segregation of duties issue and need to try to either segregate the duties or develop some type of compensatory control (e.g., have additional reviews of the process, dual authorizations, etc.). If one individual is over all four phases as Ed was at the school district, we have a severe lack of segregation of duties and a much more conducive environment for fraud or errors to occur and go undetected. As can be seen in the example of the school district, having a proper segregation of duties is more than just a catch phrase, it is a critical element of an entity’s defense against fraud.

Interested in learning more? Attend one of these upcoming webinars on Fraud and Abuse in Not-for-Profit Entities and Governments.

Charlie Blanton, CPA is Senior Director of Governmental and Nonprofit Content for Surgent, where he authors Surgent’s government and not-for-profit CPE courses and is a frequent webinar instructor. Charlie has over 25 years of experience in auditing and industry having worked at KPMG, the Texas Society of CPAs, Taylor Publishing, Texas Wesleyan University, and the AICPA.

Leave a Reply

Your email address will not be published. Required fields are marked *