This article provides practical, affordable tips on mitigating risk when hiring isn’t an option.
When your district’s internal or external auditors suggest additional personnel, how should you respond when adding headcount isn’t an option? A finding around segregation of duties (SoD) is very common for districts that operate with lean staffing models. Are there other potential approaches, beyond adding headcount, to address the risks posed by your streamlined staffing approach, as flagged by your auditor?
To outline approaches for mitigating the lack or inability to segregate critical business or IT functions, it’s prudent to revisit the risks and types of findings associated with SoD. The primary drivers for segregating who can perform specific functions are twofold:
- Management override of controls deals with a person or persons who have access or assigned responsibilities that could allow them to accidentally or intentionally bypass one or more of management’s controls.
- Misappropriation of assets focusses on a person or persons who have access or assigned responsibilities that could allow them to accidentally or intentionally misrepresent, misdirect, or misuse organizational assets.
The type of SoD issues commonly encountered are:
- System permissions, such as users with conflicting transactional responsibilities and/or administrator access. These users may have the ability to enter, approve, and post a transaction, either through elevated permissions within the system, conflicting functional permissions, or by creation of a second account, bypassing existing segregation of duties controls.
- Lack of oversight involves users who may perform a key process from start to finish and do not have a second individual who puts eyes on their work. This lack of oversight may result in errors or omissions making it through the process, leading to potential misstatements or fraud.
Your district can mitigate the risks, even when additional headcount is not an option: While segregated critical functional or administrative functions may not be possible, here are potential approaches to mitigate the risks.
1) Determine if you can implement segregations of duties within the systems you already have.
Enabling application safeguards. While not all applications have the ability to enforce segregation of duties out of the box, many do have the option to configure additional safeguards. This functionality is particularly common in systems used for financial reporting, such as general ledgers. Additionally, many software vendors producing these applications develop patches to facilitate safeguards, such as preventing the user who enters a transaction from approving that same transaction. A review of system documentation or a conversation with your software vendor should help to identify if your applications can be configured or patched to implement this functionality.
Configuring granular permissions. If you have at least two people, though three enables far greater resiliency to unavailable employees, you may be able to configure custom roles within your application. Roles can be configured with key processes in mind, requiring the involvement of a second person to complete key processes such as posting and approving journal entries. When leveraging this method, it is important to understand that the ability to administer user permissions within the application would create the ability to override this control. Therefore, the administrator permissions should be held by a separate individual not participating in the business process.
Separate accounts for daily activities and administration may provide additional flexibility. Similarly, several ERP systems also come with accounts with elevated privileges, such as “firefighter” accounts, which can only be unlocked to perform uncommon tasks or to address emergencies. If turnover is limited, using firefighter accounts for system administration could be an option. Divesting daily functions from elevated permissions would still require a review of activities performed by the administrator or “firefighter” account, but it would also significantly reduce the volume of activity that would need to be reviewed.
2) Manual controls can mitigate risks. Because manual controls require additional time and effort, they are typically implemented only if systemic solutions are not available to enforce SoD.
Reviews of transactions by independent personnel may be performed to mitigate risk. If users without sufficient SoD have administrative capabilities within the application, it is strongly recommended that a review of account creations and deletions also be performed to verify actions were not taken to bypass this review process.
Reconciliation to source documents may be performed by independent personnel.
Not all districts fit neatly into these patterns. There may be other considerations that impact methods of operation. When considering how your district will approach segregation of duties or the alternate approaches to mitigating the risks typically addressed through segregation of duties, it is important to consider factors that are unique to your operations.
Bringing in experienced, independent personnel to gain additional feedback, where beneficial, can be key to implementing successful risk mitigation strategies. Your district’s internal or external audit professionals will likely be able to provide the knowledge and perspective you need.