segregation of duties 2.25.55-6.ppt - office of...

Segregation of Duties

APM 2.25.55

1

Overview

• The policy discusses the following functions:functions:– Authorization

Recording– Recording– Verification

Custody of assets– Custody of assets– Managerial review

Eff ti D t O t b 1 20082

• Effective Date: October 1, 2008

Overview

• APM 2.25.55 Segregation of Duties• APM 2.25.55.01 Segregation of Duties –5 55 0 Seg ega o o u es

Sponsored Programs– focuses on Compliance requirements for Sponsored

PPrograms – Supplements the requirements from APM 2.25.55—

Segregation of Duties g g

3

Segregation of Dutiesg g

• Senior administration is responsible to ensure segregation of dutiesensure segregation of duties.

• Provides two benefits:Mitigates risk of fraud– Mitigates risk of fraud

– Detection of errors or irregularities

4

Segregation of Dutiesg g

• Optimally, no single individual should have responsibility to complete two or moreresponsibility to complete two or more phases of a transaction or process.– Authorization– Authorization– Recording

Verification– Verification– Custody of assets

Managerial review– Managerial review5

Segregation of Dutiesg g

• When less than optimal segregation exists compensating controls must be inexists, compensating controls must be in place.

• Compensating controls include:• Compensating controls include:– Detailed monthly managerial review

Sh ith th d t t– Share resources with other departments

6

Authorization

A i t d i di id l h• Appointed individual who: – Can initiate or execute transactions for

the University– Indicates the transaction meets

accounting and compliance requirementsq

– Is aware of budget availability

7

Authorization

I di id l t th i t ti• Individuals cannot authorize transactions which benefit themselves, such as: – Travel arrangements/reimbursements– Expense reimbursements

• Reproducible documentation is required

8

Recordingg

P f ti d i t i i• Process of creating and maintaining financial records

• Examples:– Preparing CRR/ARR– Journal entries– Entering requisitions– Inputting time/absences into WebTime– Correcting payroll charges (PCE)g p y g ( )– Entering Vouchers 9

Verification

• Confirms accuracy and timeliness of recorded accounting transactions:recorded accounting transactions:– Appropriate ChartFields

Appropriate accounting period– Appropriate accounting period– Amounts are correct

Indi id als sho ld not erif transactions• Individuals should not verify transactions they authorized.

10

Verification

• Confirms segregation of duties between recording and authorizationrecording and authorization

• Documented with signature and dateCan be electronic or paper– Can be electronic or paper

11

Verification

• Documentation examples—review and sign:sign:– P-card statement

Expense Distribution Reports (EDRs)– Expense Distribution Reports (EDRs)– Printout of Transaction Checklist

P l S ft W kFl l f– PeopleSoft WorkFlow approval of Requisitions or Receivers

12

Custody of Assetsy

• Access to or control over physical assets• Examples:• Examples:

– Maintaining inventory for resaleA t f h i t d– Access to safe where money is stored

– Event ticketsP ki it– Parking permits

– Handling checks received for deposit– Intellectual property—data or research

13

Managerial Reviewg

• Provides assurance that controls are in place and operating as designedplace and operating as designed– Appropriate individuals authorized and

verified transactionsverified transactions• High level review for unusual or

unreasonable activityunreasonable activity

14

Managerial Reviewg

• Performed more frequently if authorization and verification are not segregatedand verification are not segregated

• Should not be performed by the person verifying transactionsverifying transactions

• Must not be performed by the person di t tirecording transactions

15

Managerial Reviewg

• Suggested documentation to print and review:review:– Income Statement

Budget Variance Report– Budget Variance Report– Transaction Checklist

For other options discuss with your– For other options, discuss with your Accounting Office

• Documented with signature and date16

• Documented with signature and date

Optimal Segregation

Authorization Recording Verification ManagerialReview

1 2 3 Mgr1 2 3 Mgr

• Four people are involvedE h f i f ti• Each performs unique function

• PS Security/Access precludes crossover of functionsfunctions

• Optimal segregation—managerial review can be quarterlyq y

17

Good Segregation

Authorization Recording Verification ManagerialReview

1 2 Mgr Not needed1 2 Mgr Not needed

• Three people are involvedD t il d ifi ti i f d b M• Detailed verification is performed by Manager

• Authorization, recording and verification are separatedseparated

• PS Security/Access enforces segregation• Good segregation—Manager is performing the g g g p g

detailed verification18

Good Segregation

Authorization Recording Verification ManagerialReview

1 2 1 Mgr1 2 1 Mgr

• Three people are involved R di d ifi ti t d• Recording and verification are separated

• PS Security/Access enforces segregation• Good segregation managerial review can be• Good segregation—managerial review can be

quarterly

19

Good Segregation

Authorization Recording Verification ManagerialReview

1 1 3 Mgr1 1 3 Mgr

• Three people are involvedR di d ifi ti t d• Recording and verification are separated

• Good segregation—managerial review can be quarterlyquarterly

20

Checking Your Own Work

Authorization Recording Verification ManagerialReview

1 2 2 Mgr1 2 2 Mgr

•Three people are involvedR di d ifi ti t t d•Recording and verification are not separated

•Managerial review is performed monthly.

21

Manager Authorizes

Authorization Recording Verification ManagerialReview

Mgr 2 2 MgrMgr 2 2 Mgr

• Two people are involvedR di d ifi ti t t d• Recording and verification are not separated

• DETAILED managerial review will be performed monthlymonthly

22

To be Avoided Segregation

Authorization Recording Verification ManagerialReview

1 1 1 Mgr1 1 1 Mgr

• Least preferred and should be avoidedO l t l i l d• Only two people are involved

• One person controls the entire transaction• DETAILED managerial review will be performed• DETAILED managerial review will be performed

monthly

23

Unacceptable Segregation

Authorization Recording Verification ManagerialReview

Mgr Mgr Mgr MgrMgr Mgr Mgr Mgr

• This scenario represents an unacceptable risk• This scenario represents an unacceptable risk and is not allowed.

• Unacceptable whether a Manager or any level p g ypersonnel

24

Frequently Asked Questionsq y

• The following Frequently Asked Questions (FAQs) address practical application of(FAQs) address practical application of this policy.

25

FAQ’s – Impactp

• How does this policy change the interaction between Departments andinteraction between Departments and Accounting?– No change required– No change required.– Accounting will still check PS Authorization for

authorized signatures for non-PO vouchersauthorized signatures for non PO vouchers.

26

FAQ’s – Authorization

• Does a manager’s email to order items meet the requirements for authorization?meet the requirements for authorization?– Yes. The email is an authorization to initiate

the transaction.the transaction. – Retain the email as documentation.

27

FAQ’s – Authorization

• Does a manager’s verbal request to order items meet the requirements foritems meet the requirements for authorization?– No Written documentation or an email is– No. Written documentation or an email is

needed to authorize the transaction and must be retained.

28

FAQ’s – Authorization

• Does a manager’s unsigned fax meet the requirements for authorization?requirements for authorization?– No. Request a signature on the fax as it could

have been sent by anyone.have been sent by anyone.– Retain the signed fax as authorization for the

purchase.p

29

FAQ’s – Authorization

• Does a manager’s request in a department meeting satisfy the requirements formeeting satisfy the requirements for authorization?– Yes if meeting notes are documented and– Yes, if meeting notes are documented and

distributed. – The notes serve as authorization for theThe notes serve as authorization for the

purchase.

30

FAQ’s – Authorization

• Does a manager’s signature stamp on a document meet the requirements fordocument meet the requirements for authorization?– No Request a written signature or email to– No. Request a written signature or email to

initiate the transaction. – Retain documentation as authorizationRetain documentation as authorization.

31

FAQ’s – Authorization

• How are frequently purchased items authorized? (e g office supplies)authorized? (e.g. office supplies)– Documented via:

• Signed non-PO vouchers• Signed non-PO vouchers• Electronic signature on requisition or

receiverreceiver• Email authorizing specific transactions• Initiation by the P card holder

32

• Initiation by the P-card holder

FAQ’s – Authorization

• Can any individual authorize transactions for themselves (travel or reimbursement)?for themselves (travel or reimbursement)?– No. Travel or other reimbursement which

directly benefits the employee must bedirectly benefits the employee must be authorized by the individual’s supervisor and an authorized signer on the DeptID being charged.

33

FAQ’s – Recordingg

• Can the same individual authorize, record, and verify transactions?and verify transactions?– Not recommended, but yes. There must be a

significant reliance on the managerial review.significant reliance on the managerial review.• More frequently, at least monthly• Must be thorough enough to identify errors and

irregularities.

34

FAQ’s – Verification

• What should verification include?– Key aspects of verification:– Key aspects of verification:

• Appropriate use of ChartFields including account accounting periods and amountaccount, accounting periods, and amount

• Proper authorization of the transaction• Documentation of verification - sign and• Documentation of verification - sign and

date• Electronic or paper

35

Electronic or paper

FAQ’s – Verification

• How often should verification be performed?performed?– Verification should be performed monthly.

Per BPM 213 corrections should be made– Per BPM 213, corrections should be made within two accounting periods after the end of the month in which the original transaction gposted.

36

FAQ’s – Verification

• How should verification be documented?– Verification must be documented with a

signature, electronic or manual, and date.– Examples include the transaction checklist or

i d d i d f hsignature and date on a printed copy of the checklistDiscuss alternative methods with the– Discuss alternative methods with the Accounting Office.

37

FAQ’s – Verification

• Can the same person who authorizes perform the verification?perform the verification?– Not recommended. These two activities

should be done by different people toshould be done by different people to segregate duties.

38

FAQ’s – Managerial Reviewg

Wh t h ld th i l i• What should the managerial review include?– A high level review for unusual or

unreasonable activity. R i f th i ti d– Review for proper authorization and verification of expenses.Re ie doc mentation to erif segregation– Review documentation to verify segregation of duties are in place.

39

FAQ’s – Managerial Reviewg

• What is the evidence that a managerial review has been completed?p– The manager may choose to print, sign,

date and retain any of the following: y g• Income Statement or a budget variance

report;• Transaction Checklist; or• Discuss alternative methods with the

Accounting Office40

Accounting Office.

FAQ’s – Managerial Reviewg

• How often should managerial review be performed?performed?– Quarterly, with optimal or good segregation.

A more detailed monthly review must be– A more detailed monthly review must be performed when segregation of duties is less than optimal or good.p g

41

FAQ’s – Managerial Reviewg

• Without segregation of duties, what additional duties should be performed?additional duties should be performed?– A more detailed review of the individual

transactions needs to be performed monthly.transactions needs to be performed monthly.• Appropriate use of ChartFields including account,

accounting periods, and amount• Proper authorization of the transaction

– Address high-risk areas for custody of assets

42

Concluding Pointsg

O ti ll h ld h• Optimally, no one person should have more than one of these responsibilities:– Authorization– Recording– Verification– Custody of assets– Managerial review

• If less than optimal segregation, mitigating 43

p g g , g gcontrols must be implemented.

References

• APM 2.25.55 – Segregation of Duties• APM 2 25 55 01 Segregation of Duties• APM 2.25.55.01 – Segregation of Duties—

Sponsored ProgramsBPM 213 Adj t t f I &• BPM 213 – Adjustment of Income & Expense Items

44

Contact Information

Pa l Toler Director of B siness Ser icesPaul Toler, Director of Business Services573-882-4959T l P@ i i dTolerP@missouri.edu

Tracy Greenup, Assistant Director Business Services

573 882 7092573-882-7092greenupt@umsystem.edu

45