What’s at stake when organizations lack proper segregation of duties (plus three ways to fix it)
SOD, most simply, is a form of risk management. The key is requiring that separate people complete critical tasks to avoid “incompatible duties” like recording, authorizing, and processing cash disbursements. This allows for more oversight, which leads to fewer mistakes and a lower fraud risk. As the AICPA puts it, failing to segregate duties is akin to giving just one person the keys, lock, and code for a nuclear weapon system, the danger of which is obvious. Although the risk isn’t life or death when it comes to public sector accounting, a lack of oversight can still be quite harmful to a significant number of people.
If you don’t think you have time to segregate duties, do you have time to fail an audit due to misstated financials?
Here’s how failure to segregate duties hurts governments, school boards, and other public sector entities:
- Lack of operational efficiency
SOD exists, in part, to prevent mistakes. Many accounting software options will require you to have one person prepare a journal entry and a separate person post it. But if your system doesn’t have these restrictions, it’s easy to disregard. We get it — you’ve got a small team, a limited budget, and a lot of work to do. But if you think you don’t have time to segregate duties, do you have time to fail an audit due to misstated financials? Do you want to spend time explaining to your auditors why you don’t have dual signatures on checks or appropriate checks and balances in place? Restating financials isn’t just time- and labor-intensive; it’s costly, and it’s an embarrassment to your department.
- Fraud and corruption
The public sector has a duty to do what’s best for their constituents — without oversight, it’s not just your reputation at stake, it’s also your ability to fulfill your duty to those who count on you. For example, when the person who writes the checks is the same person who approves them, there’s a significant risk of fraud. The same goes for if one person is in charge of soliciting and approving bids, as well as setting up vendors and deciding who gets paid.
As one client of ours discovered before calling us in to help, a director of a department without SOD selected a “vendor” to whom they paid thousands. Turns out, the “vendor” was the director’s own spouse, and the checks were going straight to their personal account. With nobody double-checking the work, it’s easy to scrape a little off the top. Even somebody who would normally never think of committing such a crime might be tempted if they have the opportunity accompanied by enough financial pressure.
- Loss of the public’s trust
Is the public going to look favorably upon your office after this? Will they want to reelect somebody who failed to notice fraud in their own team? Will the average voter realize that you weren’t the fraudster? Or will they hear “fraud” or “corruption” in the same sentence as your name and draw their own conclusions? Even if corruption doesn’t occur and you just have to restate your financials, it can still harm public perception of the department and hurt the career of the person who’s responsible.
Luckily, there are ways to dramatically reduce your risk, without necessarily expanding your team or your budget (although that would certainly make it easier). When our team is engaged to improve segregation of duties — an issue that’s usually uncovered as part of a risk assessment (which you should be doing annually) — there are three steps we typically take:
1. Review your current staffing models to align staff to the correct responsibilities.
Say you have a two-person team, but only one person knows how make journal entries. We can train the second person what they need to know to properly segregate duties. We can also look for other opportunities to segregate duties that you may not have noticed, like collecting and depositing cash.
2. Review your user access to analyze potential conflicts.
Putting restrictions on what certain staff members can access in your ERP system is a simple way to segregate duties. A municipal client of ours once had a retiring staff member point out that their unrestricted access to the technology system meant they could have been stealing from the city for years, and that they ought to fix it before she leaves. You may not be as lucky as that client, so having a third party examine where you need to place restrictions will minimize your risk.
3. Review your internal controls and current processes to recommend solutions.
Effective internal controls are critical to preventing fraud and ensuring accurate financial reporting. However, controls that can be circumvented and overridden may as well not exist at all. Mapping out the current processes, as well as the related controls can help identify any potential SOD issues. A thorough internal control review can also provide process improvement recommendations and identify unmitigated risks or control gaps.
There are ways to dramatically reduce your risk without expanding your team or your budget.
Of course, every organization is unique and will need different solutions when it comes to the segregation of duties. But, the point is that there are cost-effective ways to shield your organization from SOD risk. Your reputation, your ability to serve your constituents, and your department’s ability to operate efficiently are at stake, so don’t ignore this issue. Next time you conduct your annual risk assessment, ask for a review of your segregation of duties. You might be surprised by what’s uncovered.