Managing Segregation of Duties:
What if it’s not operationally feasible to separate all tasks?
When considering controls, including Segregation of Duties (SoD), it’s important to focus on what we’re trying to achieve.
I think it’s summarized very well on the University of Toronto’s Internal Audit website.
They define a control as “any policy, procedure, practice, or mechanism designed to provide reasonable assurance that the organization’s objectives will be achieved. This includes controls designed to safeguard assets, ensure the timeliness, accuracy and reliability of financial and management reporting and to promote operational efficiency, effectiveness and compliance with all applicable laws, regulations, policies and procedures.”
There are four main types of controls: preventative, detective, compensating and steering. This article focuses on compensating controls.
What are compensating controls and when do you need them?
To reduce the risk of fraud and operational errors, most organizations define Segregation of Duties (SoD) policies, then implement detective controls, which identify anybody who has access to combinations of applications that enable them to violate the SoD rules. Ideally, they also implement controls to prevent people being granted access which breaches the policies.
But resource limitations, such as technical or staffing constraints, mean that it’s not always possible to achieve perfect SoD. Where this is the case, you can use compensating controls to mitigate the risk incurred when a user needs to have many duties. This type of control offers an alternative means of providing the “reasonable assurance” that we need.
Here’s an example of where a compensating control is required:
A single user has access to and performs the tasks of accepting cash payments and recording the payments. Due to the nature of the business, and for efficiency, the same user performs both tasks. To prevent fraud, oversight is required. So, we need a compensating control – for example, we may specify that a second user must perform a reconciliation, reviewing the cash against the recorded transactions.
Compensating controls should:
- Meet the intent of the original control requirement
- Provide a similar level of assurance
- Go above and beyond the original control requirement.
This third point is important. By its nature, a compensating control is never as good as creating a control within the system itself, so the compensating control has more to prove – and must go above and beyond what the system itself could have provided. For example: requiring a second signature on a report is not a good compensating control if the person never actually looks at the details line by line. So, you should always aim to make the compensating control more rigorous – i.e. the second signatory must not only sign off on the report, but must sign off on every line item, with comments etc.
When designing compensating controls, consider these tips:
- Documentation – create a formal document which can be reviewed by management. The document should clearly outline the steps necessary to execute the compensating control.
- Approval – ensure documentation is reviewed on a regular basis and approved by management. Systems, access, people and functionality change constantly, so it’s important to ensure that your control is relevant and serves the purpose it was designed for.
- Training – ensure appropriate staff are trained. They need to understand the risk, review the procedure documentation and be clear on such things as execution method and timing.
- Review – periodically review the control to ensure that it’s effective, especially in the first six to twelve months of a new control being in place.
Examples of frequently used compensating controls:
- The requirement for a secondary signature to authorize critical or sensitive transactions, such as high dollar value for purchase orders.
- Exception reports. These can be created in a reporting tool and setup on a scheduler, so that they are run in a timely manner. The output is then checked against the applicable process. An example of this is a report of changes to customer master data; the report is reviewed against documentation that states the requestor of the change is not the person who executed the change. The report is then signed by a supervisor or manager and saved as evidence.
Be mindful that compensating controls are a stop gap and not an ideal end state. Wherever possible, consider using other types of controls, such as preventative controls, which may be more rigorous and more cost effective as they require less resources.
Specialized tools can help. Q Software’s auditing solutions flag conflicts / violations and provide the ability to note mitigations and report on the associated compensating controls.