Internal controls provide a system of checks and balances that work to prevent intentional or unintentional data entry errors, fraud and theft. A strong internal control system must ensure that no single employee or group of employees maintains too much control or influence over cash flows, financial data, inventory and other business assets. Segregating duties as much as you can is one of the best ways to protect your business.
Complete segregation of duties separates incompatible functions -- tasks or activities that provide an opportunity for one or more employees to both commit and hide errors, fraud or theft. The Institute of Internal Auditors identifies custody of assets, authorizations and approvals, and recording and reporting as the three key categories of incompatible duties. According to the IIA, workflow responsibilities should prevent any one person from having both access to and responsibility for accounting for financial and physical assets.
Payroll and purchasing are two areas that require segregation of duties. In the payroll department, prevent ghost employees -- someone recorded on the payroll system but who does not work for you -- by making sure that the person responsible for collecting and maintaining employees' personal and financial information doesn’t also process payroll. Guard against unauthorized purchases or vendor favoritism by separating order entry and authorizations duties.
Segregation of duties can help reduce unintentional errors that affect your bottom line. Appointing a team leader or supervisor to review and compare transactions to supporting documentation, such as comparing employee time cards to a payroll report, is a common example. Just as order entry and authorizations duties guards against instances of theft and fraud, separating these duties -- and requiring the person with authorization responsibilities to double-check totals -- also can reduce data entry errors.
Small businesses with only a few employees or on a tight hiring budget can’t always achieve complete segregation. In this case, mitigating controls are essential. Even though compensating controls are "detective" rather than preventive, they can still provide reasonable assurance the department is meeting risk mitigation objectives. For example, reviewing daily and weekly reports, regularly rotating duties, conducting unannounced spot-checks of financial transactions or an announced physical inventory count, and scheduling bi-annual internal audits are all good detective controls.