I often write about internal control systems and how important good internal controls are when it comes to preventing and detecting fraud and error. A big part of this is the separation of duties. I refer to this often but it struck me the other day that I have perhaps not been terribly clear about what exactly the concept of separation of duties is all about. How does one figure out how to separate duties effectively and what purpose does this separation serve?
In a business, if there is one person responsible for a financial process from beginning to end, there is a great risk of both fraud and error. Without another party to check, review or authorize a person’s work, any errors or fraudulent activity could very easily go undetected. Recently, I heard of a woman who worked at a not-for-profit, receiving and depositing donations. A donor called the not-for-profit to inquire about a check donation that she had sent in. The check, she said, had not yet been presented for payment. Upon investigation, it turned out that the employee at the not-for-profit had been feeling so overwhelmed by her duties that, instead of processing and depositing donations, she had been taking these donations home. Checks were found piled in her home. Had the not-for-profit instituted proper separation of duties, where another party was aware and had a record of checks that had been received at the not-for-profit, it would have become apparently, very quickly, that checks were not being deposited. In such circumstances, for example, one party would record checks as they arrived at the not-for-profit, pass a copy of the check on to one person who would record the received funds in the books and then give the original check to another person who would make the deposit. Now there would be three people who knew that funds had come into the entity and the person responsible for making the deposit would not be the person recording the deposit in the financial records.
When only one person is involved in a financial process, only that one person has to be convinced to commit fraud. However, if two or more people are involved in that process, the parties then have to agree to collude to commit a crime. Those two will have to be sure that one will not sell the other out, should something go wrong. That becomes risky as, with more than one person involved in a process, there is always another person who can speak up about errors or possible unscrupulous activity. The majority of frauds are reported by a whistleblower; the proper separation of duties can go a long way towards creating potential whistleblowers.
When thinking about separation of duties in an internal control system, you should think about splitting every transaction into three functions and assigning a different person to each function. These three functions are:
- Authorization, which is the approval process
- Execution which is the accounting and reconciling of the transaction
- Custody of the asset involved in the transaction.
For example, in the case of Rita Crundwell, she AUTHORIZED payments and transfers made by the city of Dixon. She also EXECUTED the transactions recording them in the books and reconciling the bank statements. She also had CUSTODY of the bank accounts, holding the checks, and making the transfers out of city bank accounts and into her own personal accounts. No one else was involved in these processes so no one else could ask questions about what was going on and why.
It is vital, when setting up an internal control system with the proper separation of duties, that this system is set up by a qualified accountant who has knowledge of processes, their weaknesses and where, in those processes, the authorization, execution and custody functions lie. The accountant should be able to explain how and why duties should be assigned to different people. The accountant should be able to work with a company’s complexities and staff restrictions to come up with the best ways to safeguard the assets of that company.
It may seem tedious and overly cautious but it is far smarter to have a finance system that discourages potential fraud, than to scramble around trying to recover assets after they have been stolen. Separation of duties goes a long way toward reducing the opportunities for fraud and creating greater possibilities that fraud and error will be detected. You want a system where an employee, under pressure to commit fraud, sees that others are checking on the process and that there is a well-organized system. You want that person to decide that trying to exploit the system and steal from the entity is too complicated. You want a system where, should someone actually decide to steal, they will be discovered through the various checks and balances built into the system. So, break it up!