Re-Post of a blog written by Teresa Bockwoldt, first posted on www.vibato.com
If you are like most finance executives, you probably would like to minimize the risk of fraud and financial mistakes within your organization. You probably also would like to reduce the chance of an audit-related surprise like a material weakness or waste time and resource effort with out-of-scope situations.
One way to achieve these objectives is to complete a Segregation of Duties (SoD) analysis at the beginning of each fiscal year. This relatively simple process, which takes only a few hours with the right information and tools, can yield big rewards, especially for small or rapid growth companies, or nonprofit organizations where there is an imbalance between number of staff (low) and workload (high).
The SoD analysis describes all the tasks related to your financial transactions and lists the employee or title responsible for handling each of those tasks. And when we say all the tasks, we mean all the tasks, from the most mundane (who opens the mail) to the most strategic (who signs payroll checks). This analysis emphasizes who not how: the SoD focuses on people and tasks, not policies and procedures.
The SoD identifies points in your financial processes where fraud or mistakes might occur and go undetected because one person is completing several finance-related tasks that conflict with each other (segregation conflict). For example, consider the opportunity for fraud if the accounting personnel have access to both your check stock and your signature stamp or if the same shipping and receiving manager receives inventory and investigates inventory discrepancies.
In a good SoD analysis, you would identify these segregation conflicts and develop a way to mitigate them – such as dividing the responsibilities or incorporating a monthly review of transactions by a higher level manager. The goal is to make it harder for anyone who works at your organization (including employees, consultants, volunteers, and Board members) to be tempted to commit fraud. Essentially, you are minimizing organizational risk by removing the opportunity, and hence the temptation, to commit fraud.
Since audits focus on risk and how it is mitigated, the SoD analysis will help both your fraud prevention and audit preparation efforts. Your auditor will be looking for holes within your organization where there might be opportunities for mistakes or concealment. If you can show the auditor you’re identifying and plugging those holes, by providing a copy of your SoD plus a list of follow-up actions, you can reduce the work your auditor needs to do and demonstrate the integrity of your organization’s financial reporting efforts.
A segregation of duties analysis is always completed as part of an audit; so if you do not complete one and show the results to your auditors, your auditor will complete one for you — and charge you for it. We recommend that organizations complete their SoD analyses, either on their own or with help from an objective third party, for several reasons. The biggest advantage in this approach is that an organization will be able to identify and remediate conflicts before the annual audit, thus minimizing the risk of a negative opinion. Another benefit is that if you can show your auditor that you are identifying and mitigating segregation conflicts, it increases their belief that you are running your organization properly and will lower their perception of your organizational risk – this can benefit you in other ways as well.
We recommend a five (5) step approach to completing an SOD analysis:
Step 1: Choose Your SoD Approach
Your executive team has decided to conduct an SoD analysis; now you must determine whether to complete the analysis using only internal resources or with help from a qualified third party.
We strongly recommend bringing in third-party assistance unless your internal audit or accounting team has both the experience and the tools to complete this process efficiently and cost-effectively. As is always the case when hiring a consultant, you’ll need to weigh the consultant’s fees and experience against the time and costs your in-house team would spend creating an in-house tool, researching your auditor’s requirements, collecting the information, and compiling the results.
Another tip: If you plan to do the analysis internally, do some research on the best tools/methods available that you can leverage. There is no reason to create this process from scratch, since a little knowledge will get you a long way towards understanding where you need to focus, and how to collect/analyze/remediate any issues. The more automated you can make your approach, the more reliance your auditors will tend to place on it because you are minimizing the risk of human error.
Finally, you will need to understand what risk levels are acceptable or unacceptable, not just to your organization but to your auditor. So before you start your SoD, review the notes from prior audits and/or ask your external auditors about their top concerns. This proactive approach will help you prioritize the conflicts you find and take action only on the ones that matter to your auditor.
Step 2: Tap Your Knowledge Network
Now that you have a methodology, some tools, and a team, you need to acquire information about who does what within your organization.
Remember, many finance-related activities happen outside the finance organization itself. For example, your receptionists “touch” the finance department if they’re responsible for receiving, opening, and sorting the mail. Similarly, your warehouse staff also “touch” the finance department when they ship products or receive inventory and invoices. For a comprehensive SoD analysis, then, it is extremely important to bring in representatives from the human resources, operations, IT, and finance departments, as well as directors or managers from satellite offices or manufacturing facilities.
Gather all representatives for an in-person meeting or conference call, during which your internal audit leader or consultant will go step-by-step through each finance task, and ask for information about who completes these tasks. It is important to assign titles, rather than individual names, to ensure the analysis stays consistent regardless of the day-to-day human resources changes in the organization (such as absences, resignations, or promotions).
Step 3: Identify and Prioritize Conflicts
Once you’ve assigned titles to tasks, you need to see where your segregation conflicts lie and prioritize them according to your organization’s risk limits. As a general rule, you should pay close attention to conflicts in tasks related to receiving or disbursing cash or checks; wire transfers; managing inventory; and posting journal entries.
Here’s where using an automated, visually-oriented approach pays off. Imagine the time you’d spend sifting through hundreds of pages of documents, manually checking titles and tasks, creating graphics to show the conflicts, and then ranking those conflicts according to risks. Some auditors and consultants still use this manual approach, which makes completing the SoD time-consuming and expensive. You’ll save time and money, and likely get a better result, by using an automated tool that synthesizes the information and provides a graphical output with conflicts highlighted and ranked according to the risks your organization and your auditor have identified.
Step 4: Develop Mitigation Plans
During this step, keep in mind that every organization has some SoD conflicts. Your goal is not to get to zero conflicts but rather to recognize which conflicts you have and to address those conflicts according to the risks they pose to your organization.
Your mitigation options include reassigning responsibilities, hiring more staff, increasing the frequency of cross-checks (like monthly closes), or introducing new approval or reviews either within or outside the finance department. A nonprofit or small company, for example, might ask a board member to review financial transactions, in lieu of hiring another staff member.
Occasionally, your auditor might disagree with how you’ve prioritized conflicts or want a more aggressive mitigation (such as hiring a new employee) that goes against your business realities. In these situations, it’s important to go back to your SoD analysis and prior years’ audits and provide evidence that backs up your assessment. If you have a third party consultant, they should be able to argue your case.
Step 5: Apply Your Analysis Beyond the Audit
You’ll want to share your SoD analysis with your auditors twice – when you’ve first completed it, to ensure that all areas of business risk are covered, and again when they are completing your year-end audit. Meantime, you can apply the lessons learned from your SoD analysis to other areas of your business. Since this analysis will highlight where existing duties are distributed unevenly throughout the applicable resource pool, the tool also helps you make more informed decisions during company-wide or departmental reorganizations. This analysis can be used to justify staffing recommendations to the management team or Board of Directors.