Maintaining segregation of duties during talent shortages

2021 began with the “Great Resignation,” an ongoing economic trend in which employees voluntarily resigned from their jobs in masses. A record number of 4.5 million employees quit their jobs in March 2022, according to the U.S. Department of Labor. This trend leaves companies with vacant job positions and staffing shortages, saddling the remaining employees with additional responsibilities. Companies experiencing shifting of employee responsibilities should evaluate segregation of duties (SOD) around key processes to maintain effective operations and execution of key controls and activities.  

SOD is a fundamental element of internal controls and overall risk management and allocates key duties and functions of a specific process to multiple individuals to further reduce the risk of fraud and errors. There are four types of functions under the concept of segregation of duties: 

1. Authorization
2. Custody
3. Record keeping
4. Reconciliation

Roles and responsibilities should be designed and established to prevent one person from handling more than one type of function for any process.

Risks

Potential risks to an organization with a lack of SOD include:

• Fraud – A single employee performing all key functions within a process leaves no secondary oversight and allows for fraud to go undetected.  
• Errors – Lack of secondary oversight of a process means errors may not be detected and corrected in a timely manner. 
• Inefficiency – A single employee performing all key functions may increase the time it takes to complete tasks.

These risks can cause significant damage to an organization such as fraudulent payments, inaccurate financial statements, or reputational risks.

A real-world example

A strong SOD set up for functions under accounts payable might look like this:

1. Authorization – warehouse manager approves invoice for goods for payment
2. Custody – treasury clerk has access to bank accounts to make payments
3. Record keeping – accounts payable clerk has the ability to record and process invoices and payments into a general ledger
4. Reconciliation – accounting staff compares general ledger to cash and accounts payable transaction details, but do not have the ability to process invoices or initiate payments. 

The example above shows four different individuals involved in the accounts payable process. If the accounts payable clerk had access to the bank accounts to make payments, and the general ledger to record invoices and payments, there is a risk that the clerk could make a payment for a fraudulent invoice. If the accounts payable clerk needs access to the company’s bank account, a control requiring an appropriate independent and secondary individual to approve all payments from the bank accounts can be implemented to mitigate the risk. 

Job responsibilities and system / bank access should also be reviewed periodically to ensure no employee performs more than one of these functions. If an employee does perform multiple functions, there is an increased risk of undetected errors and an opportunity to misappropriate assets or conceal misstatements.  

Steps to take now

If it is determined that an individual has been performing multiple functions within a key process, the organization should design and implement compensating controls to mitigate the potential risks until roles and responsibilities can be appropriately segregated. Examples of compensating controls can include analytical reviews, periodic reviews of audit trail for transactions recorded to the general ledger, or reviews of exception reports. 

It is critical that functional areas such as information technology (IT) and accounting and finance evaluate SOD in their key processes regularly to address the risk of fraud and errors. To document and evaluate SOD, an internal policy and matrix should be created outlining roles and responsibilities within the organization and reviewed to identify potential conflicts. Companies should consider utilizing a SOD rule keeper within their enterprise resource planning (ERP) system or an external SOD tool to support SOD management. Access roles within key systems should be monitored and evaluated regularly. 

For more information on this topic, or to learn how Baker Tilly risk advisory-specialized Value Architects™ can help, contact our team.