Business Services Industry
April Fools?
Internal Auditor, June, 2005 by Don Holdegraver, Arnold Schanfield, Mike Miller
It seems appropriate that Bruce McCuaig's article, "A Panacea of the Profession" ("Governance Perspectives," April 2005), was published in the April issue of Internal Auditor, because it certainly appears that he meant many of his comments about segregation of duties to be an "April Fools" joke. While he is correct in many ways about the availability of data mining capabilities with new software and the importance of assessing and managing risks, he also unintentionally sets up the age-old argument of preventive controls versus detective controls.
No auditor will deny that using the latest data extraction and analysis software gives quick access to, and identification of, anomalies and trends that spell potential fraud. But the question really is, "Do we want to catch it after it happens, or prevent it from reaching that stage?" I, for one, would much prefer to prevent the occurrence of a fraudulent transaction rather than try to detect it when it has already gone wrong.
Why? For several reasons. First and foremost, the cost of trying to recover from a fraud can be substantial compared to the cost of preventing the fraud in the first place. Legal costs, publicity, and lost time are just three of the reasons why it's better to prevent than catch fraud. Second, controls such as segregation of duties are not designed only to stop fraud, but to protect individuals from allegations of wrongdoing. If appropriate controls are not in place, an organization may not be able to identify who perpetrated the fraud. This is especially true in smaller businesses that must take shortcuts occasionally when it comes to control. As a result, everyone comes under suspicion instead of only the fraudster. Third, segregation of duties controls set a management tone that says, "We focus on doing it right, not on catching it when it's gone wrong."
McCuaig is correct in the various examples he uses of how segregation of duties fails and what results from the failures, but he uses the results to say segregation of duties is the problem, rather than recognizing that it's the improper use of segregation of duties that creates the problem. No amount of after-the-fact detection software can offset a good managerial review of a transaction prepared by another. Two sets of eyes really are better in control situations.
Segregation of duties is a control, and controls cost money. But fraud costs more. I would err on the side of preventive controls through segregation of duties, rather than putting all of the eggs in the detective basket. The detective controls should be there, but they're certainly not a panacea.
DON HOLDEGRAVER, CIA, CFE, CPA
Director-Operations Analysis
University of Nebraska-Lincoln
We would like to comment on some of the points made by McCuaig in his article. He states, "There is not a shred of definitive proof in the audit literature that segregation of duties is generally effective or worth its often significant cost." Yet, if a company has experienced a major fraud (for example, unauthorized movement of cash through verbal transfer of funds or unauthorized removal of valuable inventory because the person who is controlling the inventory also controls the accounting records) and a subsequent review of this fraud discloses these weaknesses and tightens up the controls through appropriate segregation of duties, is this in itself not proof that value will be obtained through such segregation?
We are two of perhaps 100,000 IIA members who, over the course of their careers, have identified numerous control problems and provided recommendations. One recommendation has been to segregate duties, and these actions themselves have helped prevent potential losses down the road. More often than not, appropriate segregation of duties can be obtained through creative thinking and not necessarily jumping to the conclusion that additional resources are needed. But McCuaig's position is that most auditor recommendations on this subject are "pie in the sky." In our experience, this has not been the case.
McCuaig is accurate when he says, "Segregation of duty breakdowns are usually symptoms of bad control design and not root causes of control failure." However, a value-added internal audit function should always perform a root cause analysis as part of the audit finding process. If bad control design is the root cause, it should have been stated as such, and the resulting recommendation should address both the symptom of the problem (i.e., the specific segregation of duties) and the root cause (i.e., tone at the top).
The Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) Internal Control-Integrated Framework comprises five components, all of which need to be working for an adequate system of internal controls to exist. To ignore segregation of duties when evaluating controls, which is strongly implied by McCuaig, for additional monitoring and data mining, is tantamount to suggesting that a key feature of one of these five components be disbanded. One of the premises of internal control is that an individual's position acts as checks and balances on a second person so that collusion would be needed for any problem to result. It is, therefore, difficult to accept renunciation of segregation of duties.
- 5 Rules for Immediate Annuities
- Death in the Family: 12 Things to Do Now
- Dumbest Things You Do With Your Money
- 6 Online Networking Mistakes to Avoid
- 401(k) Mistakes to Avoid
- 5 Economic Scenarios to Keep You Up at Night
- The Real ‘Best Places to Retire’
- Best Credit Cards for You
- 12 Tough Questions to Ask Your Parents
- The Real ‘Best Colleges’
- Home Buyer Tax Credit: How to Cash In
- Why You Shouldn't Bash Cash
- 8 Phony 'Bargains' and Better Alternatives
- Danger: 3 Debit Card Scams to Avoid
- 6 Myths About Gas Mileage
- 29 Fees We Hate Most
- Quick and Easy Ways to Boost Returns
- Best Stocks to Buy Now
- Lower Your Taxes: 10 Moves to Make Now
- New Jobs: 8 Lessons from Real-Life Career Switchers
- The New Job Market: Who Wins and Who Loses?
- Health Care Reform's Public Option: Everything You Need to Know
- Volunteer Work When Unemployed: Should You Work for Free?
- Whose Recovery Is This?
- Long-Term-Care Insurance: 4 Biggest Risks to Avoid
Content provided in partnership with
Most Recent Business Articles
- Multiple criteria evaluation and optimization of transportation systems
- Multi-criteria analysis procedure for sustainable mobility evaluation in urban areas
- A two-leveled multi-objective symbiotic evolutionary algorithm for the hub and spoke location problem
- Multi-criteria analysis for evaluating the impacts of intelligent speed adaptation
- The development of Taiwan arterial traffic-adaptive signal control system and its field test: a Taiwan experience
Most Recent Business Publications
Most Popular Business Articles
- 7 tips for effective listening: productive listening does not occur naturally. It requires hard work and practice - Back To Basics - effective listening is a crucial skill for internal auditors
- LIFO vs. FIFO: a return to the basics
- FAS 109: a primer for non-accountants - Financial Accounting Standards Board's "Statement 109: Accounting for Income Taxes"
- Too Young to Rent a Car? - 25-years-old the minimum age for car renting - Brief Article
- Design a commission plan that drives sales - Sales Commissions
Presented by American Express