January 18, 2024
AccountingOS

How segregation of duties can protect your business

Topics:

A business owner, CPA, and best friend all walk into a store.

One gets arrested, the other embarrassed, and the last bankrupt.

This is a story of fraud.

Today I tell this story and why segregation of duties would have fixed it.

But first, today's sponsor.

BROUGHT TO YOU BY...

NetSuite is the #1 Cloud ERP that gives you complete visibility and control over your business operations, including financials, inventory, HR, CRM and more. Over 37,000 organizations have turned to NetSuite to help grow their top and bottom lines.

Click here to learn what top CFOs complete every day to become more strategic and efficient.

Get the CFO Checklist

Want to advertise to 40,000 small business owners and leaders? Go here.

HOW SEGREGATION OF DUTIES CAN PROTECT YOUR BUSINESS

Years ago I was doing a Q&A with a CPA I’d engaged for a “Reviewed Financial” at a business I worked for. Reviewed Financials are one step under audited, which means they have less strict standards. I’d convinced the bankers to do reviewed over audited to save some money, but that’s another story for another day.

As we went through the questionnaire, we came to a set of questions about the accounting controls and segregation of duties we had in place.

Since I’ve slept a few times since then, I don’t remember the specific question or my specific response, but I do know I made a joke.

As soon as the joke left my lips, the CPA paused, completely changing the tone of the conversation.

“This is serious, Kurtis.”

Woah, who woke up on the wrong side of the bed?

Yes, I did take it seriously. I took it very seriously because trust in small business is one of the most valuable currencies there is.

But when it came to controls and segregation of duties, it was clear this CPA saw this as an area of grave importance.

As we continued, I learned why.

Turns out the CPA had a long-time client who had just learned they’d been stolen from for years. And not just a little stolen from… stolen from to the tune of millions of dollars. How, you ask?

Well, it was their best friend.

When the entrepreneur started the businesses, they asked their best friend (a recent accounting graduate) to help them with the books. As the business grew, the friend’s role grew too. Eventually, the business became big enough that the friend came on full-time and even hired a few staff to work with them.

Despite offloading some work, the friend never gave up reconciliations and signed all the checks (at some point the owner had passed this off, trusting them deeply).

When the business was struggling, the CPA came in to take a deeper look. It was to both their surprise (the CPA and owner) to learn that the friend had been stealing. They both had decades-long relationships, the best friends even growing up together.

As the story came out, it turns out that for years the friend had had a gambling problem and stolen the money to cover their personal losses.

The numbers started small but got bigger and bigger. Every step along the way, the friend tried to find ways out, but could never come clean.

It not only broke the relationship, but it broke the business and ended up with the best friend in jail. The business went bankrupt and the CPA felt partially responsible.

The CPA had let their friendship with both the owner and friend get in the way of asking harder questions earlier.

While the CPA had no liability or reason to feel guilty, it’s natural to look back and question what you could have done differently.

So, it was in that moment with me that the seriousness of accounting controls and segregation of duties came into focus.

I don’t want to assume everyone knows what these words are and what they mean, so I’m going to walk through what controls look like.

What are Segregation of Duties?

Segregation of Duties is splitting job functions between different employees to reduce error and reduce fraud risk in a business.

By splitting responsibilities, you accomplish a few things:

  1. Reduce the likelihood of fraud or errors
  2. Increase the number of people who understand the process
  3. Improve the financial integrity of the records

There are 3 elements to segregating duties: authorization, custody, and records.

Authorization: This is determining who is responsible for approving, or authorizing the transaction. The approver should be separate from the person doing the creation work if at all possible.

Custody: If there is a physical asset, such as cash or inventory, the person who controls the asset should not be involved in the record-keeping part of the process.

If there is a physical asset, such as cash or inventory, the person who controls the asset should not be involved in the record-keeping part of the process.

Record-keeping: This is the traditional accounting work. The taking “pen to paper” or more likely in today’s world… “keyboard to accounting system.” The person doing this work should not be the one authorizing or controlling the transaction, which protects them from perception of fraud.

The goal to split the 3 elements so that no one person has control over multiple parts of the process.

In small to medium businesses, this can be anywhere from hard to impossible, so you want to do the best you can in your situation.

Today I’m going to address some best practices to help you get started thinking about this, then next week we’ll go a little bit deeper.

Best Practices

Written policies and procedures

It’s rare to walk into a small business and for them to have written policies and procedures. What this means is that they’re susceptible to that key employee leaving and losing all that knowledge.

I like to think of the accounting documentation stack in 3 levels:

  1. Policies
  2. Procedures
  3. Checklists

Policies establish intent, approval processes, expectations, and accounting treatment.

Procedures provide step-by-step instructions on how you, and your business, do the task.

Checklists are just an extension/simplification of the previous two but are broken down into two parts: checklists related to procedures and checklists related to overall workflow.

The checklists related to procedures will be a part of the procedure document and used as the employee works through that process.

The checklists related to overall workflow are used weekly, monthly, or annually to ensure that in the regular rhythm of the business, things aren’t missed. These can incorporate multiple policies and/or procedures, depending on the scope of the checklist.

Define the roles

Job Descriptions are often the bud of jokes because they are sterile documents that often barely relate to the job actually done. But, when done right, they can provide a lot of value in establishing where the lines are drawn in segregation of duties.

The conversation of segregation of duties needs to be a regular and prominent conversation in an accounting department.

It should be the goal of everyone in the department to help others avoid conflicts.

With each process, define the steps and identify who is going to complete them.

Software hygiene

Software is a huge help in segregation of duties, but too many businesses are not managing it well.

I think of it in 3 ways:

Access. Providing the right access is key to protecting both the business and the employee. DON’T give blanket access to everyone, instead give only the access they need to do their job.

Managing permissions can be frustrating, as it can seem like it takes a lot of time, but the protection reinforces the culture of controls within the business.

Workflows. The right software will let you build your approval workflows right into the software. This assures no single person can do something they’re not supposed to (as long as you set access right), which gives the business owner a level of comfort.

Audit Trails. Good software tells you who did what. This can not only help track down fraud but track down where people are making errors in the process.

It’s not common to look up audit trails, but when you do they’re invaluable. Make sure your software has a good audit history.

Software like NetSuite will allow you to limit access, create approval workflows, and review audit trails, but its Cloud infrastructure means you don’t lose the ease of use.

Thanks NetSuite for sponsoring this issue.

NetSuite is the #1 Cloud ERP that gives you complete visibility and control over your business operations, including financials, inventory, HR, CRM and more. Over 37,000 organizations have turned to NetSuite to help grow their top and bottom lines.

Click here to learn what top CFOs complete every day to become more strategic and efficient.

Get the guide

Exception Planning

There are exceptions in every accounting process and business.

The key is to give employees a way to address those exceptions in a way that allows them to solve problems themselves but also provides a clear path for seeking approval when needed.

Too many procedures and departments are built rigidly, which can often backfire. When you don’t provide a way to move outside the procedures, staff will find workarounds and not talk about it. This lack of communication creates toxicity and builds a culture that’s ripe for issues.

Conflict Management

No, I’m not talking about your Staff Accountant and AP Clerk getting into a cage match and fighting it out.

I’m talking about a conflict of interest.

Especially in small businesses, conflicts are all around you.

The family member who works in the business, the guy running a business on the side, or community relationships that started as first first.

Being upfront about conflicts and keeping open lines of communication is key to building trust among the team.

It’s when conflicts are “stuffed” and ignored that they grow and become a potential risk to the business.

Training & Reviews

All accounting policies and procedures should be trained on and reviewed, at minimum, annually.

This may seem like a lot, but a good documentation system should take less than a day to review and train on every year.

By having annual conversations, you not only ensure things stay up to date, but you’re giving your staff a say in the processes. These open channels of communication create buy-in in the specific processes, but also to following process as a whole.

For policies and checklists, I like to update these during the annual planning process.

For procedures, encourage a culture of updating those as they’re needed. You shouldn’t wait until annual planning, as that’ll create a culture of workarounds and not following the procedures.

Wrapping Up

This isn’t a sexy topic, but it’s an important one. The story I told to start is one I’ve thought about for years because fraud can turn a good business into a bankrupt one.

Segregation of duties is a beautiful thing when done correctly, that can help business owners and accounting pros sleep well at night.

I encourage you to review your processes and reach out if you’d like help in this area.