Subscribe by Email

Your email:

Most Popular

Browse By tag

Browse By Date

Technorati Profile

Blog - Kofax (formerly 170 Systems) Perspectives on AP

Current Articles | RSS Feed RSS Feed

Segregation of AP Duties
What's the Best Approach?

Posted by Steve Wilcox on Fri, Feb 06, 2009 @ 03:27 PM
Share on Twitter Twitter | Share on Facebook Facebook | Submit to Digg digg it |  Add to delicious  delicious |  Submit to StumbleUpon StumbleUpon |  Share on LinkedIn LinkedIn | Submit to Reddit reddit 

 

Question: What do the following situations all have in common?

  • A policeman ticketing a Dunkin' Donuts truck driver ...
  • A doctor prescribing medicine from a pharmaceutical company in which he owns stock ...
  • A politician accepting contributions from a special interest group ...
  • A procurement manager being wined and dined by vendors ...
  • A hungry wolf guarding the chicken coop ...
  • A judge sentencing a family member ...
  • Coaching your own son or daughter on a travel team ...

Answer:  In each situation, there is a conflict of interest.

A conflict of interest is a situation where someone (such as a doctor,politician, procurement specialist, police officer, judge, coach, wolf etc.) has a personal interest or motivation that might compromise the reliability and integrity of bigger obligations. 

In many cases - especially where money is involved - a conflict of interest may tempt someone to break the law.  Nowhere is this truer than in Accounts Payable.

In AP, there are a lot of conflicting duties which should always be segregated. Segregating AP duties is one of the most important internal controls in finance.  For example, the person entering the invoice should not approve the invoice for obvious reasons.  Similarly, the person who sets up a vendor should not enter the invoice into the ERP system.  There are many examples in AP where duties should be segregated.  The problem is that most finance departments constantly have pressure to do more with less. But to follow segregation of duties to the letter, you need enough staff which isn't always a luxury - especially in these economic conditions.

But wait! 

Haven't ERP systems addressed segregated duties through a security framework which governs the acceptable use for each authorized user? 

Aren't roles and responsibilities managed so that, for example, an entry-level accounts payable clerk can access modules only related to her specific job function while the CFO can access any module in the system?

Well ... yes ... but the problem of trying to maintain segregated duties using this classification approach is that these configurations are expensive to design and deploy.  As employees are promoted, reassigned, or terminated, organizations must continually update their ERP systems with everyone's correct authorization level including consultants, contractors and business partners. Supporting and maintaining the classifications and configurations is a resource intensive job.

Furthermore, most organizations struggle with their initial ERP setup -- millions are spent in projects that can take up to 3 or more years.  Unfortunately, the setup of these segregated classifications is often the last phase of the project and does not receive the attention it requires especially if the project is over budget or behind schedule - which is more common than not.

With AP automation that includes a robust workflow engine, you should have complete end-to-end AP process visibility as the invoice transitions from one step to the next ... the AP system should track all changes maintaining a comprehensive audit trail of what was performed and by whom for all prior steps so potential conflicts can automatically be caught at the transaction-level

Using this approach, limited headcount can still allow for segregated duties since segregation can be enforced at the transaction level instead of the job role level. Employees can still be cross trained and allowed to perform multiple functions as long as they don't perform conflicting duties on the same transaction.  For example, an AP Specialist could both enter invoices and also setup suppliers as long as there is no conflict on each and every transaction.

This transaction-level segregation can be enforced by the workflow software which allows you to move away from restrictive job role controls ... rather than limiting what functions employees can carry out as part of their jobs, this approach allows enterprises to boost productivity while mitigating the business risks.

One last point here ... this approach requires less overhead since segregation rules are defined once at the process level as opposed to the constant overhead of ERP administration.

-Rakesh Shukla
@rakesh170

Related White Papers

Related Blog Posts
Tags: , , , , , , , , , , , , , , ,

Comments

Rakesh, 
 
There is more to SOD than just what happens in the system at the transaction level. For example, one of the most critical gateways to fraud is the establishment of a fictitious supplier. Many organizations are vulnerable in this area because their supplier approval and validation process outside the system (or lack thereof) allows employees to request suppliers. The person doing the data entry is merely following the instructions of the requestor or approver. With a fictitious supplier set up in the application, fraud can be committed by having access to a number of single functions such as PO entry or invoice entry. It can also be committed by having access to approving invoices outside the system. Therefore, in some cases, AP fraud can be committed without access to the system whatsoever. 
 
This is the subject of my next book - Risk Assessment for Payables in an Oracle EBS Environment.  
 
Regards, 
Jeffrey T. Hare, CPA CISA CIA
Posted @ Tuesday, August 11, 2009 3:44 PM by Jeffrey T. Hare, CPA CISA CIA
Jeff,  
 
Thanks for the thoughtful post. Please let us know when your book is published!  
 
One point that I would like to add is that the supplier approval and validation process should NOT be done outside the system. AP and/or Procurement should have ownership and responsibility of this critical process no?  
 
Nat Goodman likes to advocate that every addition or change to the vendor master should be verified to approved documents [such as updated W9s, contract amendments, verified correspondence, etc]. That means approval and support before keying AS WELL AS verification to file changes AFTER processing.  
 
More here:  
 
http://blog.170systems.com/bid/8691/Preventing-Vendor-AP-Fraud-A-Great-Tip-For-Maintaining-Your-Vendor-File  
 
Posted @ Tuesday, August 11, 2009 4:23 PM by Rakesh Shukla
Rakesh, 
 
Good points. The supplier approval and validation as well as the subsequent 'audit' of the data entry are perhaps the most critical steps to prevent fraud in the PTP cycle. 
 
The book is a long ways from being done. I am just starting to formulate the outline and scope. 
 
Regards, 
Jeff
Posted @ Tuesday, August 11, 2009 4:44 PM by Jeffrey T. Hare, CPA CISA CIA
Reposted from LinkedIn: 
 
The reality is segregation is incredibly important, as a single fraud case could pay for staff for a couple of years. The best approach is to break down into the 2 categories: 
 
1- Non negotiable segregation 
 
2- Those minor which you can manage after the event via reports 
 
So as long as you have a clear control under point 2 you should be able to mix when required some of those access in question. 
 
Ricardo da Silva  
 
Posted by Ricardo Da Silva 
 
Posted @ Tuesday, September 08, 2009 5:39 AM by Rakesh Shukla
Reposted from LinkedIn: 
 
 
 
When a strict segregation of duties is not possible, there should be some mitigating control(s) in place. For example, if there is a tracking mechanism so that anyone who both enters and approves an invoice has that transaction flagged for later review then that may constitute a mitigating control. The general rule is that a control should be in place whenever there is a possibility of a fraudulent transaction going undetected. Segregation of duties is one such control, a preventive control, but a management review may be an alternative (a detective control).  
 
Posted by Richard Fowler, CISA, CFE 
 
Posted @ Tuesday, September 08, 2009 12:24 PM by Rakesh Shukla
Reposted from LinkedIn: 
 
I agree with all of the comment placed, however Richard a very good point with regards to mitigating controls. A majority, if not all, AP invoices are approved online, and as a result, most IT Departments some type of foot printing capability embedded with their PARMS. Normally the foot print is triggered by the employee ID code. So when there are a lack of employee controls in place, then the technical, or mitigating controls, need to be enhanced. I would suggest working with your IT Department, in fashioning a mitigating control in which the system will only allow an employee to complete one step of the AP process. If that same employee tries to complete an additional step, their system will either kick them out, or lock. A report will also be generated and sent to IT, and their Manager. The Sr. Management needs to identify a violation tolerance level, at which time progressive discipline will be enacted.  
 
Posted by Mark Banks 
 
Posted @ Wednesday, September 09, 2009 1:03 PM by Rakesh Shukla
Reposted from LinkedIn: 
 
Rakesh, 
 
 
 
I performed an pro bono audit for a non-profit that I am associated with. The administrator did everything subject to the unpaid treasurer's signature (too trusting!). Then I learned that the administrator had a garnishment and her spouse as a vendor. Now a detailed-oriented CFO (unpaid) reviews but these jobs are short-termed. 
 
The only solution is visibility and close cost center scrutiny. Procedures not personalities will predominate. 
 
Best Regards, 
 
Nat
Posted @ Wednesday, September 09, 2009 1:29 PM by Rakesh Shukla
reposted from LinkedIn: 
 
I am beginning my career with studying to be a CFE and think that segregation of duties is very important; however, with companies cutting positions plus adding more duties to their home job it seems companies are starting a bad trend to create more fraud throughout their companies.  
 
Posted by Cristine Bohacek 
 
Posted @ Wednesday, September 09, 2009 1:32 PM by Rakesh Shukla
I would look at preventive and detective tools out there to set approvals or reporting when conflicting transactions are being made. Has to be an external tool if the ERP doesnt have its own capability.
Posted @ Friday, September 11, 2009 12:23 PM by Nasser Khan
Reposted from LinkedIn: 
 
A formal Conflict of Interest Policy is a first step. It should include a definition, examples, and consequences of violating the Policy.  
 
By Michael Sykes Corporate Accounts Payable Manager @ AmeriCold Logistics
Posted @ Sunday, September 13, 2009 7:13 PM by Rakesh Shukla
Reposted from LinkedIn: 
 
Rakesh,  
 
I performed an pro bono audit for a non-profit that I am associated with. The administrator did everything subject to the unpaid treasurer's signature (too trusting!). Then I learned that the administrator had a garnishment and her spouse as a vendor. Now a detailed-oriented CFO (unpaid) reviews but these jobs are short-termed.  
 
The only solution is visibility and close cost center scrutiny. Procedures not personalities will predominate.  
 
Best Regards,  
 
Nat Goodman 
 
President at Goodman & Associates  
 
 
 
Posted @ Monday, September 14, 2009 6:45 AM by Rakesh Shukla
Reposted from LinkedIn: 
 
Agreed, a formal conflict of interest policy is a an important discipline, and the more defined the better. Unfortunately, I am seeing many companies lose their staff and it is becoming near impossible for them to observe segregation of duties... policy or not.  
 
By Tom Flynn VP Account Management at Lavante, Inc. 
 
Posted @ Thursday, September 17, 2009 6:47 AM by Rakesh Shukla
Rakesh, perhaps you should not look for the 'best approach to segregate duties', but instead focus on the risk, what could go wrong in a particular area and how to build compensating controls. As you've mentioned, finance departments are under increasing pressure to do more with less -- the reality to consider is: given the limited resources, the things that could go wrong, what system, automated, manual, or other compensating controls can be put into place to mitigate the risk/exposure.  
 
Michael Sykes  
 
Corporate Accounts Payable Manager @ AmeriCold Logistics 
 
Posted @ Tuesday, September 22, 2009 4:52 PM by Rakesh Shukla
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics