Segregation of Duties — McKindsey Consulting Services

Introduction

The concept of Segregation of Duties is to separate the major responsibilities of authorizing transactions, custody of assets, recording of transactions and reconciliation/verification of transactions for each business process. From a separation of duties perspective, the completion of more than one of these functions would be considered performing "incompatible duties". In other words, no one employee should have responsibility to complete two or more of these major responsibilities. However, staff limitations may make this impractical and that is when Compensating controls must be considered.

Matrices are available upon request to assist you in structuring proper separation of duties and identifying areas where separation of duties is lacking. They will cover the most common processes that everyone should have (Cash, Petty Cash, Investments, Purchasing, Payroll, Inventory, Fixed Assets and General Ledger). If you identify employees who perform two or more tasks for each business process area, you will need to determine if those tasks would be considered a performance of "incompatible duties". If so, you will need to consider compensating controls or revise duties.

We should always strive for the optimum degree of segregation of duties. However, due to limited staff sizes at some organizations, optimum separation of duties cannot be achieved. In those circumstances you should at least strive for an acceptable(minimal) level of segregation of duties which when combined with compensating controls will minimize the impact of control deficiencies and exposure to errors or irregularities.

A minimal level of segregation of duties could possibly be achieved by verifying that no one employee performs more than two of the "incompatible duties". For example, an employee might perform the authorization and verification/reconciliation functions but they should not record the transaction or maintain custody of assets. A compensating control would be managerial review.

Some Basic Suggestions for Best Practices

Generally, the Chief Financial Officer, Controller and accounting department personnel should not have access to modify general ledger accounts or change mappings for these accounts. Normally these changes should be made by IT personnel after approval by CFO or Controller.

Employees responsible for preparing/initiating a journal entry should not be able to approve or record the journal entries. Financial statements should be approved by supervisory personnel at a higher authority level than person preparing the financial statements.

If the general ledger system is configured so that journals cannot be approved prior to posting a compensating control would be to print a report of all journal entries at the end of each period and have a supervisory level employee who does not have access to record transactions review and approve the transactions that have been recorded.