Segregation of duties strengthens internal controls. Accounts payable or AP is one of the easiest channels for an organization to lose money if internal controls are weak. The AP department’s responsibility to monitor, process, and control payments to creditors is essential to avoiding improper payments. If there is no segregation of duties, internal controls are likely to be weak. If internal controls are weak, the risk of errors and improper payments increases.
Segregation of duties divides responsibilities across as many persons as practicable for internal control purposes, so that no one person can complete all or too many steps in a process. The goal of the division is to avoid allocating incompatible functions, or functions that increase the risk of fraud or error if combined and assigned to a sole individual. AP departments must divide payment-related processes between several persons in a way that reduces the risk of fraud and errors.
It is an internal control weakness if one employee can place orders, approve supplier invoices, accept deliveries, maintain vendor master files, enter invoices, prepare cheques, sign cheques, and dispatch cheques. It is also an internal control weakness if one employee sets up electronic funds transfer (EFT) facilities with the bank, approves EFT transactions, creates EFT files, transmits EFT files to the bank, and makes general ledger entries. It is easy to see how these scenarios are recipes for disaster.
When AP departments concentrate too many of the above functions in one person, the employee may be able to order personal goods or services on the organization’s account, create the vendor account (and perhaps eventually delete or inactivate the account to conceal evidence of wrongdoing), and completely process the payment without discovery. An employee could even concoct, enter, and process a dummy invoice all by themselves. If the employee also has access to make general ledger entries or prepare bank reconciliations, they can make or reverse other fraudulent entries to conceal their scheme. There are of course other internal controls that could uncover the improper payments. For instance, if a supervisor or other person independently reviews and analyzes reports detailing changes to vendor master files or listing the bank account numbers used for EFTs, those monitoring and control activities could uncover the improprieties.
The risk of fraud may exist even if an employee has control over just two of the activities above, such as maintaining vendor accounts and signing cheques or creating EFT files. The risk exists because these two processes, namely vendor master file maintenance, and cheque signing or EFT file creation are very incompatible from an internal control standpoint. The employee could create a fictitious vendor or even easier, temporarily change a vendor’s banking details to route an EFT payment to their own bank account.
Aside from reducing fraud risks, segregation of duties between people who perform tasks and those that review them is an internal control that reduces the likelihood of errors because there are fresh eyes that add a layer of double-checking and scrutiny.
Smaller organizations, in particular, may lack the resources to effect proper segregation of duties. In that case, those organizations should do the best they can to separate functions and implement compensating controls to mitigate any inadequacies. One solution may be to allocate some functions to another department outside of AP. For example, someone in the purchasing department or an administrative role may be a good candidate to receive training in maintaining vendor master files or performing other functions depending on organizational structure and the allocation of other responsibilities. Involving other non-AP departments opens up the pool of persons available for proper segregation of duties. Compensating controls may include more frequent or more rigorous reviews by a supervisor or other senior person who is minimally or not at all involved in processing payments or invoices.
Meeting your duty of care: Segregate duties within the AP department to ensure that no one person can complete or control several payment-related functions that could lead to fraud or errors. Segregate processes involving invoice approval, invoice entry, cheque printing (or EFT file creation), cheque signing (or EFT authorization), cheque distribution (or EFT transmission), and vendor master file maintenance, as much as possible to reduce the risk of fraud or error. Where it is not practicable to segregate functions, compensating controls, including increased reviews and monitoring will be necessary.
The concept of segregation of duties permeates First Reference’s internal control library, which includes Finance and Accounting PolicyPro. Read more on the segregation of duties in the AP department in Chapter 6 – Accounts Payable, including FN 2.16 – Vendor Master Files, and FN 5.11 – Electronic Funds Transfer.
Policies and procedures are essential, but the work required to create and maintain them can seem daunting. Finance and Accounting PolicyPro, Operations and Marketing PolicyPro, Not-for-Profit PolicyPro, and Information Technology PolicyPro, co-marketed by First Reference and Chartered Professional Accountants Canada (CPA Canada), contain sample policies, procedures, checklists and other tools, plus authoritative commentary to save you time and effort in establishing and updating your internal controls and policies. Not a subscriber? Request free 30–day trials of Finance and Accounting PolicyPro, Operations and Marketing PolicyPro, Not-for-Profit PolicyPro, and Information Technology PolicyPro, here.