Segregation of duties (SOD) is conceptually simple: nobody should be assigned to do everything, or at least not everything of consequence. The idea is to prevent a conflict of interest, as well as an opportunity for poor judgment or fraudulent behavior, by designating one person to be responsible for system access and/or physical assets. Think of the folksy aphorism of “don’t let the fox guard the henhouse.” But SOD is a lot tougher today as organizations are asking employees to multi-task and as access to complex systems and their information can, inadvertently, create a conflict in someone’s day to day job activities.
SOD was easier in the England of Charles Dickens, where Ebenezer Scrooge had direct oversight of his clerk, Bob Cratchit, and locked up the ledgers and cash at night. Business was conducted face to face, and the system of the day entailed keeping records in an ink stained ledger, making white-collar crime difficult. There were only a handful of employees, monitored closely by Scrooge, and the system was a simple, straightforward chart of accounts entered in ink and bound in a book.
The basic elements of business in Dickens’ world included employees charged with entering accounts and paying invoices, the process for accounting for revenue and expense, a system that kept track of all of it, and an eagle-eyed business owner keeping a watchful eye upon them all. These elements are still found in business today, but their added complexities call for a more sophisticated approach to SOD.
The day of the quill pen and bound ledger is long gone, surpassed by ubiquitous computers, mobile devices, and complex software programs. Global accounts are managed by employees who speak various languages, adhere to different business and cultural customs, and follow an unending variety of procedures in day-to-day business. Business is conducted at high speed, spanning multiple systems that connect to an array of customers, contractors, trading partners, purchasing agents, design engineers, financial and accounting support personnel, and countless other specialities. The relationship among the basic components of business — people, processes, and technology — are in a constant state of flux and change. As these relationships change and/or become more complex, so too does the nature of SOD.
Here is a real life situation: US based employees can access information at their corporate office via the companies ERP system. Those same employees can also use their IOS device and home office computers to access that system. For some transactions, they access a feeder system that is based somewhere in the cloud to process transactions to the ERP. They can also post entries and adjustments into their corporate consolidation system which happens to sit in their finance department in Europe. Lots of complexity that also provides great efficiency and profitability – provided the access, privileges and risks are managed appropriately.
Are your SOD processes and controls still valid and reliable? Are they keeping pace with change? SOD should be continually evaluated for relevance and comprehensiveness, in terms of the changing business and regulatory environments. Reviewing SOD controls can be made part of organizational quality reviews or other audits. It is certainly an appropriate topic for risk assessments. Helpful references for best practices and compliance requirements can be found in the Uniform Occupational Fraud Classification System of the Association of Certified Fraud Examiners, the Securities and Exchange Commission’s Commission Guidance Regarding Management’s Report on Internal Control Over Financial Reporting, as well as the Public Company Accounting Oversight Board’s Audit Standard No. 5 (AS5).
Major organizational changes may also have implications for SOD. Companies going through mergers and acquisitions, downsizing, and restructuring will often signal a need to review SOD. However, while seminal organizational change usually puts auditors and risk managers on high alert, don’t discount the barely noticeable everyday changes as people are hired, promoted, and fired, or as some decide to retire. A small, seemingly inconsequential change can have unexpected consequences for an organization. Likewise, system upgrades and the integration of information from multiple systems will often impact systems of record. When people and their organization change and when enabling systems undergo change, current SOD can quickly become obsolete and ineffective.
Changes in the economy and in the financial fortunes of companies can also affect SOD as companies attempt to do more with fewer resources. Multi-tasking and the assumption of new roles and responsibilities can inadvertently compromise existing controls and procedures designed to prevent situations where potential conflicts of interest arise. For example, a problem surfaces – it can be organizational or emerge from evolving technical systems – and the managerial response may be a temporary work-around, assuming that “we’ll true-up things afterward.” How many of us have seen a “temporary work-around” become a permanent fixture of a system, or a temporary additional duty, such as disbursing and balancing cash, become a permanent responsibility that is never included into a revised job description?
All organizations must be able to respond to change in an agile manner, and an expedient solution is better than no solution or one that comes long after the damage is done. This only underscores how a best practice for companies is to continually audit and re-evaluate home -grown processes, policies, and procedures… most of which have not been documented, tested, or evaluated for potential conflicts of interest.
Each company has its own unique operating environment based on its people, processes, and technologies. Canned SOD programs may help as a way to become acquainted with some of the general areas and issues to be addressed, but it is usually better to fit the controls to your unique needs. For example, when you are examining transactions, focus on those that are the most consequential for your business and tailor your approach to your business risks, needs and strategies. Some of the following bulleted items will be relevant; others not so much.
- What is the risk of overstating revenue in your business? Do you see a surge of orders at the end of the year only to be followed up by a surge of returns 30 or 40 days later?
- What is the risk of understating liabilities? Are accounting controls being overridden?
- How tight are your controls around the submission and payment of invoices?
- Do you have inventory control policies in place?
- Has your payroll been audited for ghost employees?
- Do workers’ compensation and medical insurance follow a SOD protocol, where physicians and investigators are rotated on a regular basis?
- Are SOD protocols adhered to in foreign countries, especially around disbursement of cash or other valuables to foreign officials?
- Is there a conflict-of-interest policy as well as a policy on the disclosure of proprietary information?
- Is there a whistle-blower’s hotline, and are complaints formally recorded and tracked until resolution?
When reviewing a function or process think about these questions:
- Who controls the asset?
- Who authorizes its use or disbursement?
- Who records the transaction?
- Who reconciles or true-ups the books?
- Are individuals rotated through these responsibilities?
- How often?
- How are they chosen?
- Who evaluates their performance?
- Are there adequate controls if any of the four key functions are performed by the same person or group?
Today the need for segregation of duties is the same as it was in Dickensonian England: Put into place the people, processes, and technology that lowers risk, decreases the likelihood of fraud and the potential for conflicts of interest. However, modern management theory certainly espouses the need for establishing a trusting environment. But as one recent President of the United States astutely observed, “Trust, but verify.”
Bob is the Philadelphia-based lead partner in PwC’s US SAP Controls Solutions practice and is PwC's Global Alliance Partner for SAP in Governance, Risk and Compliance (GRC) solutions. In this capacity, Bob directs our global teams in the development of tools, methodologies, marketing and training for SAP GRC solutions. Bob has worked on large SAP business transformation projects, concentrating on transformation strategy, business case development and requirements, project risk mitigation, internal controls and security. Bob has supported clients in the ERP and systems integrator selection processes and counseled client executives and Boards of Directors on large ERP transformation projects. Bob has provided litigation support for two large multi-million dollar legal cases for trouble implementations where he shared his insights and recommendations on large project success and failure criteria. Bob has also provided independent feedback to clients on large business transformation projects, advising on overall readiness, implementation strategy, development methodology, service provider selection, outsourcing strategy, project governance and structure and improvement planning. During his 18 year career Bob has helped many clients evaluate and improve their utilization of technology to support and enable business strategy, focusing on maximizing their investments in technology and automation. He has advised clients on SAP security, controls and GRC Access Controls and Process Controls solutions in a variety of industries including chemicals, industrial products, pharmaceuticals, medical devices, retail and consumer manufactures. His engagements include: AmerisourceBergen, Sunoco Inc., Day and Zimmermann, Shire Pharmaceuticals, VWR International, E. I. DuPont de Nemours, Rohm and Haas/Dow Chemical, Ashland Chemical, PQ Corporation, The Campbell Soup Company, Bacardi International and AstraZeneca. Bob recently spoke at the 2011 SAP GRC Insiders Event on the topic of SAP Governance, Risk and Compliance and co-presented with SAP America at the keynote address for this event. Bob also spoke at this year's Sapphire in Orlando on SAP security and controls -leading practices and GRC technologies. Bob attended executive development programs at Insead Business School in France and the Anderson School at UCLA. He graduated with a BSBA in Finance from Villanova University where he frequently speaks on IT strategy and accounting information systems, and lectures as guest instructor at the Villanova School of Business. Bob serves on the Board of Directors for the Boys and Girls Clubs of Philadelphia and on the IT Strategy Committee for the YMCAs of Philadelphia and Vicinity.