Fighting weeds is a full time job in my backyard because when we moved in almost 10 years ago, the builder did not sod the backyard. Rather than spend the money, I chose to do it myself and battled the dirt and mud until the weeds took over. After I grew weary of constantly fighting the weeds, I tried planting grass seed, but the seeds were washed away or eaten by the birds. Finally, I transplanted strips of grass from my front yard and now have grass covering almost the entire yard. It only took eight years or so. I missed the boat by not doing the right thing (sodding the backyard) as soon as we moved in. Investing the time and money on the front end would have saved me (and the weeds) lots of hassle in the end.
Organizations often miss the boat when it comes to segregation of duties (SOD) just like I did with my grass. If not proactively addressed by management, weeds and erosion in the form of fraud and mismanagement can lead to constant struggles, loss of productivity, and even theft within the organization. Because properly creating SOD among employees is a complex process, management must collaborate to carefully craft the right plan.
The key is to design SOD at a business process level. Write down all the duties within each process and the responsible party (by position rather than the individual’s name). This will help identify which critical duties should be segregated and which duties may be combined. A grid can be an effective tool for mapping out the details. Highlighting the critical duties with a different color for each (access, authorization and accounting) will also help distinguish separate duties.
Once the duties are properly segregated within each process, consider how the business processes interact with one another. The goal here is to ensure that one person is not performing different duties in two different processes. This could create a break-down of SOD. For example, if the person responsible for approving a transaction for payment (authorization function in the check writing process) also has the ability to confirm receipt of goods or services (access function in the accounts payable process), these duties are not properly segregated.
Finally, obtain feedback from someone who wasn’t involved in the process of designing SOD. The ideal person understands controls, has the ability to ask difficult questions, and can provide an independent view of the design.
Even for organizations that already have SOD, it’s important to periodically reevaluate the controls to ensure you’re not missing the boat. For instance, when an employee leaves and their responsibilities are redistributed to others, this redistribution may inadvertently create a situation where an employee has responsibilities for more than one of the functions: access, authorization and accounting.
My family and I are moving to a new house with a smaller, completely sodded yard. No dirt, mud, or weeds! I will still miss my backyard—weeds and all—but I won’t make the mistake again of trying to take a shortcut and end up missing the boat! Stay tuned.