What is Segregation of Duties?
Strong internal controls are the backbone of any well-run accounts payable function.
Without robust internal controls, there is a greater likelihood that your organisation will face potentially costly human error. Perhaps even more concerning is the fact that you may be defrauded by unscrupulous employees who will take advantage of the access they have to profit financially at your organisation’s expense.
One of the most important and effective internal controls any organisation can implement is Segregation of Duties. Sometimes it is referred to as Separation of Duties or Checks and Balances, which are essentially the same concept.
At its core, Segregation of Duties is all about ensuring different people within your organisation are responsible for completing different components of a task. No single individual person should have responsibility for completing the entire task.
A Segregation of Duties violation occurs when one employee has control over more steps in your Accounts Payable function than they should, resulting in losses due to errors or fraud. A violation could also occur if your Segregation of Duties controls are insufficiently robust, allowing for two or more employees to collaborate in carrying out fraud.
Why is Segregation of Duties Important?
In Australia, the Auditing and Assurance Standards Board has developed a framework known as “ASA 240: The Auditor’s Responsibilities Relating to Fraud in an Audit of a Financial Report.”
ASA 240 emphasises the importance of Segregation of Duties in internal controls. It advises auditors that inadequate Segregation of Duties, otherwise known as independent checks, over assets may increase the susceptibility of misappropriation of an organisation’s assets.
Auditors understand that Segregation of Duties is the most effective way any organisation can manage the risks associated with both human error and internal fraud. Although an executive, such as the CFO or Accounts Payable Manager, may trust the individuals employed in their department, the reality is that individuals within the Accounts Payable function can cause significant damage to the organisation if there aren’t appropriate checks and balances in place. Irrespective of whether employees cause damage inadvertently or intentionally, every CFO or Accounts Payable Manager needs measures in place to protect the organisation from any potential risk.
Human error is always a factor in any Accounts Payable function. Busy staff can easily make data entry errors that see you remitting funds to an incorrect bank account. Establishing strong Segregation of Duties controls will allow your team to identify most errors before you irretrievably make an EFT payment transfer.
Even more concerning than human error, is the risk that disgruntled employees in your Accounts Payable team may be seeking to deliberately steal from you. There are a number of reasons why employees may engage in fraud:
- FINANCIAL GAIN – Some employees may simply want to profit at your organisation’s expense.
- FINANCIAL DIFFICULTIES – Some employees may have accrued substantial debts, for example through gambling, and seek access to funds due to desperation.
- DISGRUNTLED EMPLOYEES – Some employees may feel they are being mistreated or underpaid and look for opportunities to acquire what they believe they are owed.
Internal fraud is an increasing problem which can take organisations many months, if not years, to identify instances where the employee cleverly covered their tracks. With Segregation of Duties internal controls, it will be harder for any malicious employees to defraud your organisation.
Segregation of Duties in Accounts Payable
When implementing Segregation of Duties controls within your organisation’s Accounts Payable function, it is actually important to think more broadly and to look at the entire Procure-to-Pay cycle.
It is important that no individual handles more than one step in the Procure-to-Pay cycle.
Having this internal control in place will make collusion between multiple employees necessary to perpetrate a fraud. The fact that multiple individuals would need to participate in such a crime automatically makes such crimes less likely.
As you can see in ACCOUNTS PAYABLE: The Essential Guide, there are numerous steps in the entire Procure-to-Pay cycle. Every step in this process should be analysed to ensure no individual employee has the ability to perform multiple steps in the cycle. Furthermore, overlap between certain steps may provide opportunities for collusion. These should be identified, and policies put in place to ensure they are not being performed by the same person.
For example, the employee inputting supplier data into the ERP system or Vendor Master File should not be the same employee that conducts 3-Way Matching.
Special Pointers for Accounts Payable:
Implementing strict Segregation of Duties controls in a large organisation is easier, as there are many more employees. This allows the Accounts Payable Manager to ensure different employees have responsibility for different steps in the Procure-to-Pay cycle.
However, this may not be possible in smaller organisations.
Smaller organisations don’t usually have enough employees to adequately implement a comprehensive Segregation of Duties framework.
For smaller organisations, you should consider other options that will deliver you the same level of protection afforded by comprehensive Segregation of Duties, such as:
- Outsource certain tasks.
- Implement additional manual and automated checks.
As an example, you may decide to outsource responsibility for managing your Vendor Master File.
Of course, deciding to outsource management of some confidential corporate data carries its own potential problems. However, with the right outsourcing model, this option can help you achieve Segregation of Duties, whilst also making your Accounts Payable team run efficiently and leanly.
Another option is to implement additional checks into your Procure-to-Pay cycle. These may be manual in nature, but given your staffing constraints, this is probably not possible. An automated solution, such as eftsure, will help you achieve the same protections as comprehensive Segregation of Duties controls, without having to hire additional staff. The benefit of eftsure is that it ensures the banking details you are using to pay a supplier match the details used by other organisations when paying the same supplier. It therefore helps mitigate your risk of both human error and fraud every time you process an EFT payment.
How to Implement Segregation of Duties?
The first thing the Accounts Payable Manager should do, is establish a clear matrix of the Procure-to-Pay cycle and identify all the steps that need to be completed. It is then essential to assign individual roles to each of those steps.
With Role-Based Access Controls in place, you should be able to accurately create Roles in all relevant systems. Each Role must have Permissions set that limit access levels in ways that align with your Segregation of Duties matrix. You then need to assign individual employees, or Users, to each Role.
With these system restrictions in place, and the level of visibility they provide you, it should be possible to ensure Segregation of Duties policies are adhered to in your Accounts Payable function.
Segregation of Duties Checklist
Use the following checklist to ensure your organisation has appropriate Segregation of Duties in place:
a) ESTABLISH POLICY – Closely examine your entire Procure-to-Pay cycle and identify all the steps that should be carried out by separate individuals.
b) ESTABLISH MATRIX – This is a visual tool that helps you define all the Roles in all your applications and systems.
c) SYSTEM ROLES – Set up all the Roles with appropriate Access levels in all your systems and applications. Remember to set access rights to the files on your network’s shared drives accordingly also.
d) IDAM TOOLS – Identity and Access Management tools can be used to establish appropriate access to systems and applications in ways that align with your Segregation of Duties matrix.
e) PROVISION ACCESS – Ensure the right individuals are assigned the right Roles. Bear in mind that as staff join your team, leave your team, are promoted, or demoted, these Access rights need to be adjusted accordingly.
f) IT COLLABORATION – In large organisations, the IT department will need to be involved in ensuring that all Roles and Access rights are set up and maintained correctly, in accordance with Segregation of Duties policies. This will require ongoing collaboration between the Accounts Payable Manager and the IT department.
For a demonstration of how eftsure can help your organisation achieve the level of protection afforded by Segregation of Duties, contact us today.
