Addressing Problems with the Segregation of Duties in Smaller Companies Audrey A

Kennesaw State University DigitalCommons@Kennesaw State University

Faculty Publications

7-2010 Addressing Problems with the Segregation of Duties in Smaller Companies Audrey A. Gramling Kennesaw State University, [email protected]

Dana R. Hermanson Kennesaw State University, [email protected]

Heather M. Hermanson Kennesaw State University, [email protected]

Zhongxia Shelly Ye Kennesaw State University, [email protected]

Follow this and additional works at: https://digitalcommons.kennesaw.edu/facpubs Part of the Accounting Commons

Recommended Citation Gramling, Audrey A., et al. "Addressing Problems with the Segregation of Duties in Smaller Companies." CPA Journal 80.7 (2010): 30-4.

This Article is brought to you for free and open access by DigitalCommons@Kennesaw State University. It has been accepted for inclusion in Faculty Publications by an authorized administrator of DigitalCommons@Kennesaw State University. For more information, please contact [email protected]. A CCOUNTING & AUDITING internal controls

Addressing Problems with the Segregation of Duties in Smaller Companies

By Audrey A. Gramling, Dana R. indicated ineffective controls (at least one yielded less than 30 larger companies with Hermanson, Heather M. Hermanson, material weakness exists). segregation of duties material weakness- and Zhongxia (Shelly) Ye ■ One of the reasons listed was “IC— es. Thus, segregation of duties problems Segregations of duties/Design of controls appear to be mainly a small company ne of the fundamental elements of (personnel)” (the material weakness issue.) These 358 small companies were effective internal control is segre- involves a segregation of duties problem). sorted by name and the first one-third of O gation of duties, meaning that a process is divided among several people. As such, no single person can take advantage of the situation for personal gain or other impropriety. Although segregation of duties is prevalent in larger, more bureaucratic organizations, it can present a challenge for smaller companies with limited personnel and constrained resources. Newly available data can shed light on the problems smaller companies face in the segregation of duties. Specifically, the segregation of duties material weaknesses disclosed by smaller companies under Sarbanes-Oxley (SOX) section 404(a) for the 2008 fiscal year are analyzed below. SOX section 404(a) requires management to pro- vide its assessment of the effectiveness of internal control over financial reporting and to disclose any material weaknesses in internal control. Smaller reporting companies do not yet have to comply with SOX section 404(b), which requires an auditor’s opinion on the company’s internal controls. This article explores the types of smaller companies with segregation of duties problems; the nature of the weaknesses, ■ The fiscal year was 2008. the management reports were analyzed, including specific accounting areas affect- ■ The company’s market value was less ultimately resulting in a sample of 116 ed and any compensating controls; possi- than $75 million (the cutoff for smaller companies. ble solutions; and the sample companies’ reporting companies is $75 million of pub- Exhibit 1 presents descriptive informa- efforts to remediate these weaknesses. lic float). tion on the 116 sample companies. Their ■ The company was U.S.-based. median market value was under $5 mil- Sample Companies These criteria yielded 358 small com- lion, and their median assets were just over The Audit Analytics database was used panies with segregation of duties materi- $1 million. Many of the companies also to identify smaller companies with mate- al weaknesses disclosed by management, appear to be in the startup stage, as 42 have rial weaknesses related to segregation of out of approximately 700 smaller com- no revenues (median revenues were duties. Specifically, companies with the fol- panies with ineffective internal controls under $100,000), and the median net loss lowing characteristics were selected: due to any type of material weakness. was nearly $1.3 million. The industry mix ■ The Sarbanes-Oxley section 404(a) (A similar search of large companies was weighted toward manufacturing and management report on internal controls [market value greater than $75 million] service companies. The median total num-

30 JULY 2010 / THE CPA JOURNAL ber of material weaknesses reported by Adding more people. One obvious solu- separation of duties because it takes more each company was two, ranging from one tion to segregation of duties weaknesses resources to investigate and correct to eight. is to add more people to the organization. errors, and recover losses, than it does to It is difficult to offer a general rule prevent them. However, in some circum- Nature of the Segregation regarding how many people are needed for stances, departments do not have the staff of Duties Weaknesses an appropriate segregation of duties, as the resources to establish adequate separation The authors analyzed the management number needed will depend on the com- of duties, so they have no choice in the report on internal control for each of the 116 pany setting, the specific processes matter. In these instances, it is important sample companies in order to understand the involved, the skill levels of the employees, for management to implement controls that nature of the segregation of duties weak- and a host of other factors. compensate for the increased risk. nesses. The reports differ in their level of There is some debate about whether In contrast, a common theme among many disclosure, with some companies in order adding more people is an optimal solution. commentators appears to be that hiring more providing limited, boilerplate language and For example, the University of Colorado employees may not be the best solution to others providing in-depth discussions of their policy manual asserts that adding more segregation of duties material weaknesses. material weaknesses, compensating controls, people is typically the best solution, but Rather, many suggest that companies focus and present and future remediation efforts. recognizes that it is not always feasible on reducing risk in crucial areas. As the As shown in Exhibit 2, the vast major- (www.cu.edu/security/ps/INTERNAL_ Committee of Sponsoring Organizations of ity of companies described their segrega- CONTROLS.HTML): the Treadway Commission (COSO) states tion of duties weaknesses as too few Compensating Controls are less desirable in its 2006 Internal Control over Financial employees (90 companies). A significant than separation of duties because they gen- Reporting—Guidance for Smaller Public number (22 companies) did not discuss the erally occur after the transaction is com- Companies (p. 5), “Segregation of duties is specifics of the problem. Seven companies plete (post audit). Relying completely on not an end in itself, but rather a means of mit- indicated that they have only one or two compensating controls is less desirable than igating risk inherent in processing.” officers or directors. Some companies mentioned specific accounting areas affected by the segrega- EXHIBIT 1 tion of duties material weaknesses. The Sample of Smaller Companies with Material Weaknesses most commonly mentioned areas were Related to Segregation of Duties cash disbursements, cash, accounts (116 Companies) payable/invoice approval, purchases, and period-end closing. It is clear that the pri- Company Size* Median mary area of concern is the disbursement Market Value $4,923,425 cycle, where a lack of segregation of duties can result in unauthorized purchases and Revenues $ 81,150 payments. (See the Association of Certified Assets $1,066,443 Fraud Examiners’ [ACFE] 2008 Report to the Nation on Occupational Fraud and Net Income −$1,274,507 Abuse, www.acfe.com/documents/ SIC Codes Companies 2008-rttn.pdf, for details on the prevalence of disbursement frauds.) 0000-1999 Agriculture, Mining, and Construction 18 Some companies discussed compensat- 2000-3999 Manufacturing 33 ing controls that may partially mitigate 4000-4999 Transportation and Communication 8 the segregation of duties problem. The two most commonly mentioned compensating 5000-5999 Wholesale and Retail 8 controls were management, board, or other 6000-6999 Financial, Insurance, and Real Estate 8 independent reviews and reconciliations, and third-party reviews. Thus, additional 7000-8999 Services 36 review, whether done by company insid- 9995 Nonoperating 5 ers or third parties, is the key compensating control cited by management. Total 116 Total Number of Material Weaknesses Resolving Segregation Median number of material weaknesses per company 2 of Duties Problems Several entities and commentators offer Range of material weaknesses per company 1–8 guidance and suggestions for addressing * Not all companies reported figures in this section; 42 companies reported segregation of duties challenges, especial- revenues of 0. ly for small companies.

JULY 2010 / THE CPA JOURNAL 31 Beyond adding more people, profession- tion or mandatory vacation. Fraud investiga- agement can take in order to compen- al guidance tends to focus on four other types tor Joseph Wells also points to job rotation as sate for potential inadequacy. These of solutions: rotation of duties; manage- a key fraud deterrent, but recognizes that job include managers reviewing system ment oversight; third-party involvement; and rotation may be difficult for some very small reports of detailed transactions; select- top-down, risk-based analysis. Some com- organizations to employ (“The Case of the ing transactions for review of support- bination of these solutions may be the best Pilfering Purchasing Manager,” Journal of ing documents; overseeing periodic alternative for many small businesses. Accountancy, May 2004). counts of physical inventory, equipment or other assets and comparing them with accounting records; and reviewing reconciliations of account balances or per- COSO primarily points to additional management forming them independently. In many small companies managers already are performing these and other procedures review and reconciliations to bolster controls supporting reliable reporting, and cred- it should be taken for their contribution to effective internal control. (p. 4) when segregation of duties is lacking. Thus, COSO primarily points to additional management review and reconciliations to bolster controls when segregation of duties is lacking. If management review Rotation of duties. Some companies that Management oversight. Some small is used as a key control, however, it is crit- may not have the ability to add people can peri- businesses may need to rely on greater man- ical that the managers have appropriate odically rotate duties among existing person- agement involvement in day-to-day activities. knowledge of accounting and understand- nel. The ACFE’s 2008 report highlighted the For instance, COSO’s 2006 internal control ing of the underlying transactions that they effectiveness of job rotation and mandatory guidance states: are reviewing. vacation in reducing fraud losses. Organizations Resource constraints may limit the num- The SEC’s Advisory Committee on using job rotation or mandatory vacation had ber of employees, sometimes resulting Smaller Public Companies offers a simi- median fraud losses that were more than 60% in concerns regarding segregation of lar perspective in its 2006 final report lower than companies that did not use job rota- duties. There are, however, actions man- (www.sec.gov/info/smallbus/acspc/acspc- finalreport.pdf), calling for senior management to be directly involved when seg- EXHIBIT 2 regation of duties is weak: Summary of Weaknesses Related to Segregation of Duties In smaller companies, people wear mul- (116 companies) tiple hats … The result is that segregation of duties, a key element of effective Nature of Segregation of Duties Material Weaknesses* Companies internal control, may not be achievable to the extent desired. This lack of segre- Not enough people 90 gation of duties requires senior manage- Nonspecific segregation of duties problem 22 ment to be involved in all material transactions and directly involved in financial Only have 1–2 officers or directors 7 reporting. (pp. 35–36) Other 2 Management’s daily involvement in Specific Areas or Accounts Mentioned material transactions can serve to mitigate segregation of duties issues. Management Cash disbursements 6 can rely on exception reporting to highlight Cash 5 areas for further review. For example, the company’s information system can gener- Accounts payable/invoice approval 3 ate reports of disbursements over a cer- Purchases 3 tain threshold or disbursements to unrec- ognized vendors for management review. Period-end closing process 3 In addition, regular analytical review pro- Compensating Controls Mentioned cedures also may help highlight unusual Management/board review, independent reviews, and reconciliations 14 trends. For example, most businesses should have fairly stable gross profit and Third-party review 4 operating profit relationships. Being famil- * Some companies are reflected in more than one category. iar with key operating figures and ratios should help management identify abnor-

32 JULY 2010 / THE CPA JOURNAL mal shifts in key accounts. Regular use of employees can assist companies in per- particular attention on segregation of duties horizontal and vertical analysis should pro- forming some controls or other duties. issues. Several companies offer software vide management with an understanding For more complex or specialized por- products that identify incompatible sys- of baseline performance, enhancing the tions of internal control, such as cash tem duties held by the same individual. opportunity to detect problems. receipts handling, payroll processing, These companies typically develop large A common theme is that management or securities recordkeeping, the compa- matrices to document all possible duties must have financial expertise if the busi- ny might use an external party to per- and highlight every conflict. While this ness is going to rely on management over- form an entire function. (p. 25) technique was popular during the early sight in lieu of traditional segregation of One potential third party to consider is stages of SOX implementation, many argue duties. In addition, a business may derive an external CPA. Eve E. Brown, in “Five that a focus on a matrix of incompatible greater benefits from a more informed Common Mistakes of Small Business duties puts too much focus on noncrucial management team than from additional Owners” (www.sbrn.org/Connections/ conflicts, draining resources from key risk employees hired purely to resolve segre- 05_00_Five_Common_Mistakes.htm), sug- areas. As a result, many auditors are tout- gation of duties conflicts. Consistent with gests that small-business owners: ing a risk-based approach (“Segregation of this notion, a recent GAO report, Sarbanes- Find a professional you’re comfortable with Duties in the Real World,” Oversight Oxley Act: Consideration of Key Principles and use their knowledge to make your busi- Systems, www.oversightsystems.com/ Needed in Addressing Implementation for ness run smoothly. Involving your CPA as whitepapers/Real_World_SoDs_060 Smaller Public Companies (www.gao. a “partner” in your business allows him 808.pdf): gov/new.items/d06361.pdf), suggests that active management involvement is as effective and efficient as other types of controls: According to COSO, however, some of the unique characteristics of smaller companies create opportunities to more efficiently achieve effective internal control over financial reporting and more Segregation of duties weaknesses must be considered within the broader efficiently evaluate internal control which can facilitate compliance with section 404. These opportunities can result context of key business risks and compensating controls. from more centralized management oversight of the business, and greater exposure and transparency with the senior levels of the company that often exist in a smaller company. For instance, management’s hands-on approach in smaller companies can create opportunities for less formal and less expen- or her to analyze your situation and estab- Rather than approaching every SOD sive communications and control lish an accounting system that works for [segregation of duties] conflict with procedures without decreasing their your business. … This effort can be as sim- equal importance, risk-based segregation quality. To the extent that smaller com- ple as having your bank statements sent considers each conflict in the context panies have less complex product lines directly to your CPA before passing them of its effect on financial integrity and the and processes, and/or centralized geo- along to your bookkeeper. If your CPA likelihood of actual violations. (p. 4) graphic concentrations in operations, the doesn’t scrutinize the statements, a quick Similarly, Nick Stone, corporate audit process of achieving and evaluating review can sometimes uncover unusual manager of Cree Inc., calls for IT audi- effective internal control over financial entries or trends. You should also obtain tors to use a risk-based approach to eval- reporting could be simplified. (p. 19) the necessary reports at month’s end that uating segregation of duties conflicts that Third-party involvement. Others point tie all financial activity together for that time they identify in their companies’ systems to third-party involvement as a potential period. These reports let you see where you (“Simplifying Segregation of Duties,” solution to segregation of duties weak- stand month to month and reveal any Internal Auditor, April 2009): nesses. The PCAOB’s 2009 Guidance for mistakes or financial misconduct. In many organizations, responsibility for Auditors of Smaller Public Companies When considering the use of third par- testing SOD is relegated to the IT audi- addresses this issue: ties, it is important to analyze the costs and tor — for better or worse. The reasoning Use of external parties also can help benefits of using third parties as compared behind this assignment correlates SOD achieve segregation of certain incom- to hiring an additional person or using more controls to logical system access. While patible duties without investing in addi- direct management involvement. not incorrect, this knee-jerk response over- tional full-time resources … Consultants, Top-down, risk-based analysis. Many looks the importance of understanding other professionals, or temporary software companies and IT auditors focus business risks and existing controls already

JULY 2010 / THE CPA JOURNAL 33 in place to address those risks. IT audi- ■ Are key points in the transaction pro- Nineteen companies had already taken tors traditionally assigned SOD testing (or cesses identified where one person’s some steps to remediate their weaknesses. control design) should rise above nuanced ability to perform tasks ends and The most common steps taken were logical access settings and understand another’s begins? using third parties (outside firms or con- the business in a way that facilitates ■ Are employees in sensitive positions sultants) to perform accounting tasks, hir- more practical control mechanisms and properly vetted? ing more people, performing more inde- more efficient audit procedures … Instead ■ Are processes in place to adjust sys- pendent reconciliations or reviews, and of starting with these automated tools, tem access when employees change reviewing the situation to develop a spe- auditors should consider putting the scripts roles within the organization? cific plan. down (at least for now) and focusing on ■ Are employees who handle sensitive Thirty-two companies indicated that they understanding the few critical risks that information required to take mandatory plan to make improvements in the future. need to be controlled. Once these risks are vacations, or are they required to change The most common changes they planned understood, scripts can be used on a tar- roles periodically (rotation of duties)? to make were hiring more people, per- geted basis to streamline SOD testing. (“Segregation of Duties and Oversight forming more independent reconciliations Thus, segregation of duties weaknesses Controls Gone Wrong,” Tom Olzak, or reviews, using third parties to perform must be considered within the broader con- it.toolbox.com, January 27, 2008) accounting tasks, reassigning roles and text of key business risks and compensat- responsibilities, and enhancing their pro- ing controls. Companies’ Remediation Efforts cedures. Once these key risk areas are identi- As shown in Exhibit 3, many of the In many cases, a company was not fied, management should ask the follow- 116 companies’ management reports able to address the weakness. Thirty-seven ing questions, implementing segregation of on internal control also discuss the sta- companies indicated that they would duties where appropriate: tus of any remediation efforts. Upon change things if they had more resources, ■ Are sensitive transactions document- analysis, many of these efforts are con- and 11 companies stated that they were ed/mapped so that each step is clearly sistent with the guidance discussed unlikely to make changes, given cost-ben- understood? above. efit considerations.

Aiming for Effective Controls EXHIBIT 3 The authors’ analysis of newly available Efforts to Remediate Weaknesses Related to Segregation of Duties data mandated by SOX indicates that many (116 companies) smaller companies are dealing with segregation of duties weaknesses, typically stem- Remediation Status* Companies ming from having a limited number of staff. While adding more staff is one Would change if had more financial resources 37 obvious solution to the problem, it is not Plan to do something, but have not started (not cost issues) 32 always feasible. Other possible solutions None mentioned 25 include rotation of duties, management oversight, use of third parties to supple- Have done some remediation 19 ment in-house staff, and using a top-down, Unlikely to change given cost-benefit considerations 11 risk-based analysis to identify incompatible duties and then thinking about these Remediation Steps Already Taken issues with respect to important business Used third parties to perform accounting tasks 7 risks and compensating controls. The bot- tom line is getting to effective internal con- Hired more people 5 trols, whether through segregation of duties Performed more independent reconciliations or reviews 3 or other forms of control that can offset ❑ Reviewing the situation, and developing a plan 3 segregation of duties limitations. Remediation Steps Planned in Future Hire more people 8 Audrey A. Gramling, PhD, CPA, CIA, is an associate professor, Dana R. Perform more independent reconciliations or reviews 8 Hermanson, PhD, is the Dinos Eminent Use third parties to perform accounting tasks 4 Scholar Chair of Private Enterprise and Reassign roles and responsibilities 2 professor, Heather M. Hermanson, PhD, is a temporary faculty member, and Enhance procedures 2 Zhongxia (Shelly) Ye, PhD, is an assis- * Some companies are reflected in more than one category. tant professor, all at Kennesaw State University, Kennesaw, Ga.

34 JULY 2010 / THE CPA JOURNAL