Segregation of Duties: It Matters
Susan worked as a bookkeeper for a medical practice. Her duties included payments of invoices, entering financial transactions into the firm’s accounting system, performing bank reconciliations, and collection of patient co-pays.
Susan worked for the firm for approximately 10 years and was a trusted employee. She was quite friendly with her co-workers and the physicians who worked for the practice. Over time, Susan realized that her duties enabled her to make cash disbursements, record the transactions and reconcile the books and records for the practice. She subsequently devised a scheme whereby she processed wire transfers from the medical practice’s bank account into her own bank account or to her personal credit card company. She would then record the disbursements as business related expenses incurred by the physicians in the accounting system to reflect a legitimate reason for the disbursements. Over time Susan grew greedier and the amounts she embezzled grew larger. She continued her scheme for approximately 4 years until she was finally caught. She embezzled over $700,000 from the practice.
The failure to segregate the duties of disbursing, recording and reconciling cash is a critical mistake for any business. The lack of segregation of duties enables a person to perpetrate and conceal their fraud for longer periods of time. Susan took advantage of her position as a trusted employee and defrauded her employer for a number of years. This fraud would have been much harder to commit if her duties were properly segregated to others within the organization.
According to the 2008 Report to the Nation on Occupational Fraud & Abuse, “lack of adequate internal controls was most commonly cited as the factor that allowed fraud to occur” and “the median loss suffered by organizations with fewer than 100 employees was $200,000.” As a result of the fraudulent schemes that were perpetrated by Companies such as Enron, the Sarbanes Oxley Act of 2002 was enacted. This act mandated the evaluation of a Company’s internal controls over financial reporting by external auditors.
According to the Glass, Lewis & Co. trend alert, The Materially Weak, from February 27, 2007, the second most common material weakness in both 2005 and 2006 related to “inadequate staffing levels, incompetent staff, or inadequate segregation of duties.” The study noted that 535 and 517 material weaknesses in internal control disclosed for the years 2006 and 2005, respectively, were personnel related issues. “Personnel issues were the only type of material weakness in 2006 that surpassed 2005 levels”. Segregations of duties presented a challenge for accelerated filers in the past and will present an even larger obstacle for non-accelerated filers with the impending attestation deadline.
With the increasing pressure non-accelerated filers face to minimize their costs and still operate their businesses effectively in this depressed economy comes the cross-utilization of employees in multiple financial areas. With these cost-cutting strategies arise segregation of duties conflicts. How can a Company then say that it has an effective internal control environment when the potential for fraudulent activity exists? This question concerns many CFO’s of non-accelerated filers and presents the dilemma of resolving the conflicts with the possibility of incurring additional costs or operating with the segregation of duties conflicts and incurring a material weakness. What is the right solution for these Companies?
The answer is that there is no finite solution. The solution is unique to each Company based upon its size and employees. Discussed below are three different non-accelerated filers who have encountered segregation of duties conflicts and have had three different solutions.
Segregation of duties has been the major topic for the Sarbanes-Oxley (SOX) assessment of a small biotechnology Company for which EisnerAmper provides advisory services. The Company currently consists of the Chief Financial Officer, Chief Executive Officer, Chief Development Officer, Senior Accountant, Administrative Assistant, and Scientists. The Senior Accountant performs the day-to-day activities with regards to Accounts Payable and Payroll. He is also responsible for performing the month-end closing and the production of the financial statements.
The CFO reviews all closing entries, account reconciliations, and financial statements prepared by the Senior Accountant. However, when access to their financial application was obtained and reviewed it was noted that the CFO had full access to the system. It was advised by EisnerAmper that the CFO remove his access, since he is an authorized check signor and the approver of the financial reporting documents. The CFO was troubled by this suggestion. What was his recourse in the absence of the Senior Accountant when a check needed to be cut or a journal entry needed to be posted? This troubles many small non-accelerated filers that do not have the necessary personnel. The CFO made the decision to operate with the segregation of duties issues and rely on both compensating controls and entity-level controls, such as dual signatures on checks and review and approval of the financial statements by the CEO and Audit Committee. This solution will work as long as the compensating controls continue to operate effectively.
At another small biotechnology company in New Jersey, segregation of duties has also presented a series of challenges. When EisnerAmper, as advisors, first began assisting the Company with its internal controls in 2007, the Company consisted of a Chief Executive Officer, Chief Financial Officer, Chief Business Officer, Chief Development Officer, Controller, Administrative Assistant, and Scientists. Segregation of duties was not an issue at first as the Administrative Assistant performed the Accounts Payable day-to-day tasks, the Controller was responsible for the financial closing and reporting, and the CFO was the approver. However, when the Controller resigned, the Company decided to operate without a replacement.
At first, an external accountant took on the role of the Controller and was utilized to perform the monthly and quarterly financial reporting closing procedures. This did not present an issue as the CFO was still able to perform the role of the reviewer. However, as the economy started to turn sour, the CFO decided that he would take on the role of the Controller. Who was going to be the approver now? Giving the CFO full access to the system not only presented an issue in the financial reporting area, but also in Accounts Payable where the CFO was authorized to approve invoices and sign checks. Compensating controls, such as dual signatures on checks greater than $10,000 and approval of the bank reconciliations by the CBO, were implemented to lower the materiality of this control weakness to a deficiency. Upon being informed of the segregation of duties issue, the CFO’s access was removed from the Accounts Payable module. The biggest challenge came with segregating the financial closing process. Fortunately, the CBO of the Company had accounting knowledge and experience and was able to take on the role of the CFO as the approver.
EisnerAmper also provides advisory services for a slightly larger non-accelerated filer, who specializes in the manufacturing and distribution of security products, has also dealt with segregation of duties issues. This Company has a somewhat larger accounting department, with a CFO, Controller, AP Clerk, and two AR Clerks. It was not as if the Company was unable to segregate properly, they had just never considered the impact of these segregation of duty conflicts. Due to the small nature and informality of the Company, Management felt that fraudulent activity or errors would be easily identified through review and supervision activities. Through the review and breakdown of each significant business process, the Company was able to determine a way to properly segregate duties to avoid potential conflicts. Although some areas previously mentioned had already been implemented, it was user access to the financial application that was not properly restricted. The Company simply reviewed, changed, and validated access to the financial application. In addition, the Company agreed to validate user access on a periodic basis to ensure proper access and segregation in the system.
In summary, the first step is for the Company to identify where the segregation of duties conflicts exist through a risk-based examination of its key business processes. The Company should ask such questions as: “What are the tasks being performed in each business area? Who is performing these tasks? Who has access to perform these tasks within the financial application?”. The tasks should be documented by cycle in excel spreadsheets or other means to identify conflicts where an individual can initiate, authorize, and enter an item. The Company can then determine if it is possible to redistribute the duties to alleviate the conflict. If it is not possible to properly segregate due to size constraints, the best solution may be to identify compensating controls or entity level controls to minimize the impact and likelihood of the deficiency. However, these controls must be operating effectively at all times to properly mitigate the segregation of duty issues.
The second step is to ensure that the system access mirrors the business processes. Too often, roles are not properly created or restricted to limit the transactions that employees can access within the system. The common response is “that individual has never used that transaction and does not even know he or she has access to perform that function within the system”. Since the access has been granted, there is a potential for the employee to commit a fraudulent activity. However, if the financial application has the capability to generate a system log for a particular transaction, the review of the log could be used as a compensating control as verification that fraudulent or unauthorized activities are not taking place.
The third step is to conduct periodic reviews and certification of the financial application access to ensure that access changes have not created additional conflicts. The periodic review should be documented and authorized by key personnel who do not have access to make changes to access within the financial application, such as system administrators.
In conclusion, all Companies, public and non-public, accelerated and non-accelerated, need to be aware of the impact inadequate segregation of duties can have on their businesses.