In the world of business and finance, maintaining a system of internal controls is essential to safeguard assets, prevent fraud, and ensure the accuracy and reliability of financial reporting. One widely adopted control mechanism is the segregation of duties (SoD). While SoD plays a crucial role in mitigating risks, it’s important to acknowledge its limitations and understand that it’s not a panacea for all control issues. In this blog post, we will delve into the limitations of SoD.
The traditional concept of segregation of duties (SoD) assumes that roles and responsibilities are well-defined and static. In today’s dynamic work environments, employees often wear multiple hats, and job roles can be complex and multifaceted.
This complexity can make it challenging to implement clear divisions of duties. As an example, the Controller approves all new vendors added to the Vendor Master File and payments.
Senior Accountant A books the journal entries and Senior Accountant B maintains the Vendor Master file after approval is gained from the Controller. On the surface this is a very good delegation of the custody, recording and authorization functions that act as the core for SoD; however, what happens when the Controller is on vacation? Based on fraud events that I have studied, typically, one of the Senior Accountants will take over those duties when the Controller is on vacation.
This is all it would take to add a few fictitious vendors to the master file. This issue is all too common in businesses today and it is a pivotal limitation on segregation of duties and the reason why it is so important to add resiliency to the process and think of SoD as part of the broader risk management process but not the sole focus.
One of the most significant limitations of SoD is its narrow focus on financial processes and controls. While it’s undeniably vital for safeguarding financial assets and preventing financial fraud, it does little to address non-financial risks. These can include data security breaches, operational inefficiencies, and strategic decision-making errors. SoD simply cannot cover these areas comprehensively. Strategic decisions and managerial actions often fall outside the scope of traditional SoD.
Top-level executives and management teams have the authority to make crucial strategic choices and sometimes even override existing controls. Consequently, SoD alone cannot fully mitigate the risk of poor strategic decisions or managerial misconduct. In addition, ensuring the smooth operation of processes and systems is critical for organizations.
SoD mainly focuses on control and authorization aspects but may not address operational integrity adequately. System failures, process breakdowns, or IT-related issues may not be within the purview of traditional SoD measures. While SoD is a fundamental control mechanism, it should be viewed as one piece of the larger puzzle in your organization’s risk management strategy.
Acknowledging its limitations and supplementing it with other controls is crucial for addressing a broader spectrum of risks effectively. By doing so, the process will be better equipped to protect the organization from a wider range of threats and challenges.
SoD is built on the premise that individuals cannot collude to commit fraud. However, determined individuals can still find ways to work together to circumvent controls, especially in larger organizations with multiple layers of management.
Management holds a unique position in organizations and often has the authority to override controls, including SoD. This can pose a significant risk, as it can lead to fraud or financial misstatements.
Now that we have discussed some of the limitations of SoD, I wanted to add in a few ideas to combat these and help Companies be better prepared for an ever-changing world. When I refer to resiliency in this article it means having additional layers of controls in the process to ensure prevention and/or detection of fraud even if there is a breakdown in SoD.
Using the Controller and two Senior Accountants example from above. With clever use of AI, a system can be implemented to monitor all payments to vendors and identify if any of the accounts being paid are owned by an employee. In my experience someone in this position does not typically create a new identity but will open the account in their own name. This simple use of an AI program could detect an issue when it is a thousand-dollar problem as opposed to a million dollar one.
It is very important to introduce monitoring controls to the overall risk management process. Even if the process is designed effectively, if it is not operating effectively, it renders the whole system meaningless. The greatest pushback I have personally seen from my discussions with Companies both as an auditor and a consultant is they do not want their employees to feel as though they do not trust them, so they hesitate to add in some of these controls.
SoD is an essential component of internal controls, but it is not without its limitations. In a constantly evolving business landscape, organizations must recognize these limitations and take proactive steps to address them. By doing so, Companies can strengthen their control environment, reduce the risk of fraud and errors, and safeguard their assets and reputation effectively. Remember that SoD should be part of a broader risk management strategy that includes a combination of controls tailored to the unique needs and challenges of your organization.