Most of us pick up a book, read it at our leisure, and never think about the layers of labor that go into getting the book ready for publication. In publishing, after an author writes the book, it goes through several rounds of edits — developmental editing, substantive editing, copyediting, and line editing — before it is proofread and published. The process involves checks and balances to make sure that if one person doesn’t catch an edit, another will, improving the originality and quality of the final piece.In well-run organizations, most processes have several steps and involve multiple employees. Having two or more people be responsible for different parts of a process can help ensure better results. It also is an effective fraud control and detection measure. For example, businesses may fight fraud by requiring two people to sign checks when paying vendors or by assigning responsibility for collecting applicant loan data to one person and loan data review to another. These practices are known as segregation of duties (SoD).Best Practices for CFIs
In 2022, the Association of Certified Fraud Examiners (ACFE) estimated that, across the world, organizations lose 5% of revenue to fraud each year. Occupational fraud — fraud committed by employees against the organizations that employ them — is the most common and the costliest.Sarbanes-Oxley regulations require banks to establish, maintain, and document SoD frameworks, and this is also considered a best practice for credit unions. Once this plan is established, it’s even more important to regularly assess its effectiveness. Here are a few steps to ensure a smooth, compliant internal controls audit process, according to the Federal Reserve’s Commercial Bank Examination Manual:
In 2022, the Association of Certified Fraud Examiners (ACFE) estimated that, across the world, organizations lose 5% of revenue to fraud each year. Occupational fraud — fraud committed by employees against the organizations that employ them — is the most common and the costliest.Sarbanes-Oxley regulations require banks to establish, maintain, and document SoD frameworks, and this is also considered a best practice for credit unions. Once this plan is established, it’s even more important to regularly assess its effectiveness. Here are a few steps to ensure a smooth, compliant internal controls audit process, according to the Federal Reserve’s Commercial Bank Examination Manual:
- Recognize weaknesses. The first step is to assess current operations. Identify processes that are vulnerable to error or fraud. According to the ACFE, half of all reported fraud occurs in four areas of an organization: operations, accounting, sales, and the executive suite. The review should produce a list of key processes that should be reviewed for control and security purposes. Among other things, your audit should assess the following:
- Whether internal controls are properly aligned with your risk profile
- The presence of a risk management authority and monitoring plan
- Whether internal controls comply with laws, regulations, and supervisory requirements
- Don’t overcomplicate processes. While it may seem sensible to separate processes into a multitude of steps, having too many people involved can slow the process and may even create new vulnerabilities, like inaccuracies. Periodically rotating duties adds another layer to SoD.
- Choose internal auditors wisely. When audits are performed internally, they are more effective if the person auditing a specific area is from another department. This should ensure a more unbiased review and enhance the ability to spot errors, since they have less familiarity with the documentation they’re reviewing.
- Solicit necessary help. Under Sarbanes-Oxley, CEOs and CFOs are responsible for internal control structures. They must make sure the work of establishing, maintaining, and documenting process controls is done. If management doesn’t regularly have availability to supervise an SoD framework, then outside assistance may be required. It’s common for external auditors to specialize in a particular industry. Reaching out to other branches of your organization or some neighboring CFIs for recommendations can help you connect with external auditors in the area. This process can also help you narrow down options, based on the experiences of other institutions.
- Document and present findings. A proper audit of internal controls should include a presentation to the board of directors by either the staff members or the independent auditor who performed the assessment. You’ll also want to document management’s responses to any findings that require addressing. Any sensitive findings, such as concerns that implicate staff members, should be brought directly to the board.
It’s important to remember that SoD is not a one-and-done activity. Processes should be regularly audited and adjusted. The ACFE reported that 16% of occupational fraud is detected through internal audits, so don’t discount the value of a yearly, quarterly, or even monthly audit. Segregation of duties is a tried-and-true security measure that helps organizations reduce errors and detect and prevent fraud. Best practices for SoD include identifying organizational vulnerabilities, introducing effective processes and segmentation, and reviewing processes continually.