Why Segregation of Duties is Essential for Internal Control
September 01, 2024
Reprinted with permission of the New Jersey Society of CPAs, njcpa.org
The foundation for having optimal performance and reduction of risks is to ensure that there are adequate internal controls. These are processes designed to provide reasonable assurance about the achievement of the company’s objectives with regard to the reliability of financial reporting, effectiveness and efficiency of operations, and compliance with laws and regulations. Segregation of duties is a key internal control that involves assigning responsibilities to more than one individual so that no single individual has sole control over an entire process. As such, no single individual can initiate, authorize, record and review a transaction without the involvement of another individual. Proper segregation of duties is key to ensuring critical safeguards over internal controls and minimizes the risk of errors, conflicts of interest, theft and fraudulent activity. Although segregation of duties can cause bottlenecks and lead to inefficiencies, it is a best practice and prevents bigger issues from arising.
COSO Framework
The COSO (Committee of Sponsoring Organizations) framework is a set of guidelines for companies to implement internal controls to manage, prevent and detect fraud risk. There are five components of the COSO framework:
- Control environment — sets the tone of the company and its employees and includes the integrity, ethical values and management’s attitude and operating style.
- Risk assessment — the identification of relevant risks within a company and how those risks should be managed to achieve the company’s objectives.
- Control activities — the policies and procedures enforced to ensure management directives are implemented.
- Information and communication — relevant and significant information must be identified, captured and communicated in a timely manner to internal parties, such as management, and external parties, such as vendors.
- Monitoring activities — internal controls should be continuously monitored to assess whether they are working effectively.
Implementation
There are two steps to implementing segregation of duties. The first step is to establish and create policies and procedures for each department. Management should determine what key controls are relevant and significant to the company to ensure proper safeguards. Creating a standard operating procedure (SOP) on the processes and controls will allow all individuals to understand the necessary responsibilities by department and by individual. When creating the SOP, management should build a segregation of duties matrix, listing out all the responsibilities by department and by individual to properly ensure there are no conflicts where individuals have access to several different areas.
The second step is to monitor and manage how it is functioning. Management should periodically monitor how the departments are operating with these procedures and oversee whether the segregation of duties is being implemented and maintained. If controls are not effectively working, management should determine the root cause and find a solution.
Common Examples
Some common examples of proper segregation of duties include the following:
- Cash receipts and revenue process: No single individual should have the ability to collect, deposit, record and reconcile cash receipts. The individual collecting and recording the cash receipts should not be the same individual who is making the deposit to the bank. Another individual (who is independent of the individuals who are collecting and recording and depositing the cash receipt) should reconcile the deposit to the general ledger through bank reconciliations, and another separate individual should review the reconciliation.
- Purchasing process: The individual initiating a purchase order for goods should not be the same individual approving the purchase. The individual approving the purchase of the goods should not be the same individual who initiates payment for those goods. Additionally, the individual initiating the payment for the goods should not be the same individual with custody of the checks.
- IT systems: Individuals should have the appropriate access to systems and the level of access given (e.g., review only, super admin) should be commensurate with their respective job responsibilities.
Companies should regularly evaluate which controls are the most critical and the key areas in which there should be proper segregation of duties including the authorization of transactions, custody of assets and reconciling/reviewing of transactions. All in all, proper segregation of duties helps ensure errors, whether unintentional or intentional, are detected by another individual.
By Samantha Schmitt, CPA, Withum
Samantha Schmitt, CPA, is an audit manager at Withum. She is a member of the NJCPA and can be reached at sschmitt@withum.com.