Addressing Problems with the Segregation of Duties in Smaller Companies
Gramling, Audrey A., Hermanson, Dana R., Hermanson, Heather M., Ye, Zhongxia, The CPA Journal
One of the fundamental elements of effective internal control is segregation of duties, meaning that a process is divided among several people. As such, no single person can take advantage of the situation for personal gain or other impropriety. Although segregation of duties is prevalent in larger, more bureaucratic organizations, it can present a challenge for smaller companies with limited personnel and constrained resources.
Newly available data can shed light on the problems smaller companies face in the segregation of duties. Specifically, the segregation of duties material weaknesses disclosed by smaller companies under Sarbanes-Oxley (SOX) section 404(a) for the 2008 fiscal year are analyzed below. SOX section 404(a) requires management to provide its assessment of the effectiveness of internal control over financial reporting and to disclose any material weaknesses in internal control. Smaller reporting companies do not yet have to comply with SOX section 404(b), which requires an auditor's opinion on the company's internal controls.
This article explores the types of smaller companies with segregation of duties problems; the nature of the weaknesses, including specific accounting areas affected and any compensating controls; possible solutions; and the sample companies' efforts to remediate these weaknesses.
The Audit Analytics database was used to identify smaller companies with material weaknesses related to segregation of duties. Specifically, companies with the following characteristics were selected:
* The Sarbanes-Oxley section 404(a) management report on internal controls indicated ineffective controls (at least one material weakness exists).
* One of the reasons listed was "IC - Segregations of duties/Design of controls (personnel)" (the material weakness involves a segregation of duties problem).
* The fiscal year was 2008.
* The company's market value was less than $75 million (the cutoff for smaller reporting companies is $75 million of public float).
* The company was U.S. -based.
These criteria yielded 358 small companies with segregation of duties material weaknesses disclosed by management, out of approximately 700 smaller companies with ineffective internal controls due to any type of material weakness. (A similar search of large companies [market value greater than $75 million] yielded less than 30 larger companies with segregation of duties material weaknesses. Thus, segregation of duties problems appear to be mainly a small company issue.) These 358 small companies were sorted by name and the first one-third of the management reports were analyzed, ultimately resulting in a sample of 116 companies.
Exhibit 1 presents descriptive information on the 1 16 sample companies. Their median market value was under $5 million, and their median assets were just over $1 million. Many of the companies also appear to be in the startup stage, as 42 have no revenues (median revenues were under $100,000), and the median net loss was nearly $1.3 million. The industry mix was weighted toward manufacturing and service companies. The median total number of material weaknesses reported by each company was two, ranging from one to eight.
Nature of the Segregation of Duties Weaknesses
The authors analyzed the management report on internal control for each of the 1 16 sample companies in order to understand the nature of the segregation of duties weaknesses. The reports differ in their level of disclosure, with some companies in order providing limited, boilerplate language and others providing in-depth discussions of their material weaknesses, compensating controls, and present and future remediation efforts.
As shown in Exhibit 2, the vast majority of companies described their segregation of duties weaknesses as too few employees (90 companies). A significant number (22 companies) did not discuss the specifics of the problem. Seven companies indicated that they have only one or two officers or directors.
Some companies mentioned specific accounting areas affected by the segregation of duties material weaknesses. The most commonly mentioned areas were cash disbursements, cash, accounts payable/invoice approval, purchases, and period-end closing. It is clear that the primary area of concern is the disbursement cycle, where a lack of segregation of duties can result in unauthorized purchases and payments. (See the Association of Certified Fraud Examiners' [ACFE] 2008 Report to the Nation on Occupational Fraud and Abuse, www.acfe.com/documents/ 2008-rttn.pdf, for details on the prevalence of disbursement frauds.)
Some companies discussed compensating controls that may partially mitigate the segregation of duties problem. The two most commonly mentioned compensating controls were management, board, or other independent reviews and reconciliations, and third-party reviews. Thus, additional review, whether done by company insiders or third parties, is the key compensating control cited by management.
Resolving Segregation of Duties Problems
Several entities and commentators offer guidance and suggestions for addressing segregation of duties challenges, especially for small companies.
Adding more people. One obvious solution to segregation of duties weaknesses is to add more people to the organization. It is difficult to offer a general rule regarding how many people are needed for an appropriate segregation of duties, as the number needed will depend on the company setting, the specific processes involved, the skill levels of the employees, and a host of other factors.
There is some debate about whether adding more people is an optimal solution. For example, the University of Colorado policy manual asserts that adding more people is typically the best solution, but recognizes that it is not always feasible (www.cu.edu/security/ps/INTERNAL_ CONTROLS.HTML):
Compensating Controls are less desirable than separation of duties because they generally occur after the transaction is complete (post audit). Relying completely on compensating controls is less desirable than separation of duties because it takes more resources to investigate and correct errors, and recover losses, than it does to prevent them. However, in some circumstances, departments do not have the staff resources to establish adequate separation of duties, so they have no choice in the matter. In these instances, it is important for management to implement controls that compensate for the increased risk.
In contrast, a common theme among many commentators appears to be that hiring more employees may not be the best solution to segregation of duties material weaknesses. Rather, many suggest that companies focus on reducing risk in crucial areas. As the Committee of Sponsoring Organizations of the Treadway Commission (COSO) states in its 2006 Internal Control over Financial Reporting - Guidance for Smaller Public Companies (p. 5), "Segregation of duties is not an end in itself, but rather a means of mitigating risk inherent in processing."
Beyond adding more people, professional guidance tends to focus on four other types of solutions: rotation of duties; management oversight; third-party involvement; and top-down, risk-based analysis. Some combination of these solutions may be the best alternative for many small businesses.
Rotation of duties. Some companies that may not have the ability to add people can periodically rotate duties among existing personnel. The ACTE's 2008 report highlighted the effectiveness of job rotation and mandatory vacation in reducing fraud losses. Organizations using job rotation or mandatory vacation had median fraud losses that were more than 60% lower than companies that did not use job rotation or mandatory vacation. Fraud investigator Joseph Wells also points to job rotation as a key fraud deterrent, but recognizes that job rotation may be difficult for some very small organizations to employ ("The Case of the Pilfering Purchasing Manager," Journal of Accountancy, May 2004).
Management oversight. Some small businesses may need to rely on greater management involvement in day-to-day activities. For instance, COSO's 2006 intonai control guidance states:
Resource constraints may limit the number of employees, sometimes resulting in concerns regarding segregation of duties. There are, however, actions management can take in order to compensate for potential inadequacy. These include managers reviewing system reports of detailed transactions; selecting transactions for review of supporting documents; overseeing periodic counts of physical inventory, equipment or other assets and comparing them with accounting records; and reviewing reconciliations of account balances or performing them independently. In many small companies managers already are performing these and other procedures supporting reliable reporting, and credit should be taken for their contribution to effective internal control, (p. 4)
Thus, COSO primarily points to additional management review and reconciliations to bolster controls when segregation of duties is lacking. If management review is used as a key control, however, it is critical that the managers have appropriate knowledge of accounting and understanding of the underlying transactions that they are reviewing.
The SECs Advisory Committee on Smaller Public Companies offers a similar perspective in its 2006 final report (www.sec.gov/info/smallbus/acspc/acspcfinalreport.pdf), calling for senior management to be directly involved when segregation of duties is weak:
In smaller companies, people wear multiple hats . . . The result is that segregation of duties, a key element of effective internal control, may not be achievable to the extent desired. This lack of segregation of duties requires senior management to be involved in all material transactions and directly involved in financial reporting, (pp. 35-36)
Management's daily involvement in material transactions can serve to mitigate segregation of duties issues. Management can rely on exception reporting to highlight areas for further review. For example, the company's information system can generate reports of disbursements over a certain threshold or disbursements to unrecognized vendors for management review. In addition, regular analytical review procedures also may help highlight unusual trends. For example, most businesses should have fairly stable gross profit and operating profit relationships. Being familiar with key operating figures and ratios should help management identify abnormal shifts in key accounts. Regular use of horizontal and vertical analysis should provide management with an understanding of baseline performance, enhancing the opportunity to detect problems.
A common theme is that management must have financial expertise if the business is going to rely on management oversight in lieu of traditional segregation of duties. In addition, a business may derive greater benefits from a more informed management team than from additional employees hired purely to resolve segregation of duties conflicts. Consistent with this notion, a recent GAO report, SarbanesOxley Act: Consideration of Key Principles Needed in Addressing Implementation for Smaller Public Companies (www.gao. gov/new.items/d06361.pdf), suggests that active management involvement is as effective and efficient as other types of controls:
According to COSO, however, some of the unique characteristics of smaller companies create opportunities to more efficiently achieve effective internal control over financial reporting and more efficiently evaluate internal control which can facilitate compliance with section 404. These opportunities can result from more centralized management oversight of the business, and greater exposure and transparency with the senior levels of the company that often exist in a smaller company. For instance, management's hands-on approach in smaller companies can create opportunities for less formal and less expensive communications and control procedures without decreasing their quality. To the extent that smaller companies have less complex product lines and processes, and/or centralized geographic concentrations in operations, the process of achieving and evaluating effective internal control over financial reporting could be simplified. (p. 19)
Third-party involvement. Others point to third-party involvement as a potential solution to segregation of duties weaknesses. The PCAOB's 2009 Guidance for Auditors of Smaller Public Companies addresses this issue:
Use of external parties also can help achieve segregation of certain incompatible duties without investing in additional full-time resources . . . Consultants, other professionals, or temporary employees can assist companies in performing some controls or other duties. For more complex or specialized portions of internal control, such as cash receipts handling, payroll processing, or securities recordkeeping, the company might use an external party to perform an entire function. (p. 25)
One potential third party to consider is an external CPA. Eve E. Brown, in "Five Common Mistakes of Small Business Owners" (www.sbrn.org/Connections/ 05_00_Five_Common_Mistakes.htm), suggests that small-business owners:
Find a professional you're comfortable with and use their knowledge to make your business run smoothly. Involving your CPA as a "partner" in your business allows him or her to analyze your situation and establish an accounting system that works for your business. . . . This effort can be as simple as having your bank statements sent directly to your CPA before passing them along to your bookkeeper. If your CPA doesn't scrutinize the statements, a quick review can sometimes uncover unusual entries or trends. You should also obtain the necessary reports at month's end that tie all financial activity together for that time period. These reports let you see where you stand month to month and reveal any mistakes or financial misconduct.
When considering the use of third parties, it is important to analyze the costs and benefits of using third parties as compared to hiring an additional person or using more direct management involvement.
Top-down, risk-based analysis. Many software companies and IT auditors focus particular attention on segregation of duties issues. Several companies offer software products that identify incompatible system duties held by the same individual. These companies typically develop large matrices to document all possible duties and highlight every conflict. While this technique was popular during the early stages of SOX implementation, many argue that a focus on a matrix of incompatible duties puts too much focus on noncrucial conflicts, draining resources from key risk areas. As a result, many auditors are touting a risk-based approach ("Segregation of Duties in the Real World," Oversight Systems, www.oversightsystems.com/whitepapers/Real_World_SoDs_060808.pdf):
Rather than approaching every SOD [segregation of duties] conflict with equal importance, risk-based segregation considers each conflict in the context of its effect on financial integrity and the likelihood of actual violations. (p. 4)
Similarly, Nick Stone, corporate audit manager of Cree Inc., calls for IT auditors to use a risk-based approach to evaluating segregation of duties conflicts that they identify in their companies' systems ("Simplifying Segregation of Duties," Internal Auditor, April 2009):
In many organizations, responsibility for testing SOD is relegated to the GG auditor - for better or worse. The reasoning behind this assignment correlates SOD controls to logical system access. While not incorrect, this knee-jerk response overlooks the importance of understanding business risks and existing controls already in place to address those risks. IT auditors traditionally assigned SOD testing (or control design) should rise above nuanced logical access settings and understand the business in a way that facilitates more practical control mechanisms and more efficient audit procedures . . . Instead of starting with these automated tools, auditors should consider putting the scripts down (at least for now) and focusing on understanding the few critical risks that need to be controlled. Once these risks are understood, scripts can be used on a targeted basis to streamline SOD testing.
Thus, segregation of duties weaknesses must be considered within the broader context of key business risks and compensating controls.
Once these key risk areas are identified, management should ask the following questions, implementing segregation of duties where appropriate:
* Are sensitive transactions documented/mapped so that each step is clearly understood?
* Are key points in the transaction processes identified where one person's ability to perform tasks ends and another's begins?
* Are employees in sensitive positions properly vetted?
* Are processes in place to adjust system access when employees change roles within the organization?
* Are employees who handle sensitive information required to take mandatory vacations, or are they required to change roles periodically (rotation of duties)? ("Segregation of Duties and Oversight Controls Gone Wrong," Tom Olzak, it.toolbox.com, January 27, 2008)
Companies' Remediation Efforts
As shown in Exhibit J, many of the 116 companies' management reports on internal control also discuss the status of any remediation efforts. Upon analysis, many of these efforts are consistent with the guidance discussed above.
Nineteen companies had already taken some steps to remediate their weaknesses. The most common steps taken were using third parties (outside firms or consultants) to perform accounting tasks, hiring more people, performing more independent reconciliations or reviews, and reviewing the situation to develop a specific plan.
Thirty-two companies indicated that they paln to make improvements in the future. The most common changes they planned to make were hiring more people, performing more independent reconciliations or reviews, using third parties to perform accounting tasks, reassigning roles and responsibilities, and enhancing their prodeures.
In many cases, a company was not able to address the weakness. Thirty-seven companies indicated that they would change things if they had more resources, and 11 companies stated that they were unlikely to make changes, given cost-benefit considerations.
Aiming for Effective Controls
The authors' analysis of newly available data mandated by SOX indicates that many smaller companies are dealing with segregation of duties weaknesses, typically stemming from having a limited number of staff. While adding more staff is one obvious solution to the problem, it is not always feasible. Other possible solutions include rotation of duties, management oversight, use of third parties to supplement in-house staff, and using a top-down, risk-based analysis to identify incompatible duties and then thinking about these issues with respect to important business risks and compensating controls. The bottom line is getting to effective internal controls, whether through segregation of duties other forms of control that can offset of duties limitations.
COSO primarily points to additional management review and reconciliations to bolster controls when segregation of duties is lacking.
Segregation of duties weaknesses must be considered within the broader context of key business risks and compensating controls.
Audrey A. Gramling, PhD, CPA, CIA, is an associate professor, Dana R. Hermanson, PhD, is the Dinos Eminent Scholar Chair of Private Enterprise and professor, Heather M. Hermanson, PhD, is a temporary faculty member, and Zhongxia (Shelly) Ye, PhD, is an assistant professor, all at Kennesaw State University, Kennesaw, Ga.…
Questia, a part of Gale, Cengage Learning. www.questia.com
Publication information: Article title: Addressing Problems with the Segregation of Duties in Smaller Companies. Contributors: Gramling, Audrey A. - Author, Hermanson, Dana R. - Author, Hermanson, Heather M. - Author, Ye, Zhongxia - Author. Magazine title: The CPA Journal. Volume: 80. Issue: 7 Publication date: July 2010. Page number: 30+. © New York State Society of Certified Public Accountants Feb 2009. Provided by ProQuest LLC. All Rights Reserved.
This material is protected by copyright and, with the exception of fair use, may not be further copied, distributed or transmitted in any form or by any means.