SEGREGATION OF DUTIES QUESTIONNAIRE:

PROCUREMENT AND ACCOUNTS PAYABLE

INTRODUCTION

Companies handle major expenditures through the procurement process. Besides being important to the bottom
line, purchasing interrelates with most other organizational activities and impacts overall organizational
efficiencies. Procurement control processes depend upon a healthy check-and-balance between business
activities involved in procurement, receipt and settlement of assets with suppliers.

A fundamental element of internal control is the segregation of certain key duties. The basic idea underlying
segregation of duties is that no employee or group should be in a position to perpetrate and conceal errors or
fraud in the normal course of their duties. In general, the principal incompatible duties to be segregated include:
• Custody of assets
• Authorization or approval of related transactions affecting those assets
• Recording or reporting of related transactions
• Execution of the transaction or transaction activity

An essential feature of segregation of duties is that no one employee or group of employees has exclusive control
over any transaction or group of transactions.

Many purchasing and related transaction processes are automated. Transaction processing systems usually
incorporate “blanket-style” parameters or controls that can lead to material leakage if minor oversights are
multiplied over thousands of transactions. Be advised that the ability to change parameters, override controls,
access administrator functions and edit/add/delete items may not be overtly apparent to supervisors or other
processing personnel.

The internal audit or procurement review team should consider how segregation of duties is incorporated into
enterprise resource planning (ERP) applications and related processes. Today, most companies use integrated
applications for components of procurement transactions that may span several modules or departments and
even extend to vendor/partner suppliers. Electronic data interchange (EDI) with external parties in the supply
chain should be incorporated into the project risk assessment and possibly into the scope of the audit plan.

The review team should consider the following three tiers of the overall procurement process:
• Operational (manual) and system/ERP controls (integrated process) review
• Policy and procedures for vendor selection, bidding/negotiation and partner/EDI approvals
• Remote or intradepartmental controls and related management support (feedback and reporting)

Audit teams are encouraged to use this form to help identify potentially commingled duties within each application
and related processes that may signal a control weakness. Often, a lack of segregation of duties can be masked
by the fact that processes or events happen at different times, including batch processing or access controls over
application processing tools. Any potentially conflicting duties should be noted and evaluated in the working
papers. In addition, instances when a duty is not performed may indicate a weakness in controls.

Additional reporting and review processes or spot checks may be included to ensure identification of fraud.

1 Source: www.knowledgeleader.com
 MATRIX INSTRUCTIONS

The duties to be considered in determining the adequacy of segregation of duties, among those responsible for
procurement, are listed in the following chart.

This form has been designed to highlight conflicting duties performed by one individual.
• List the names of individuals responsible for particular duties in the appropriate column. For example, the
names of the individuals who are responsible for issuing purchase requisitions would fall into the recording
column.
• If a function is performed by a computer application, then indicate “computer” or “information technology (IT)”
in the applicable duty’s column. If an individual performs a system-automated function, make an “IT” notation
(where applicable) to facilitate consideration of the relevant application access controls.
Consideration: If “computer” or “IT” has been listed as performing a function, consider whether:
− The individuals authorized to enter transactions or adjustments perform other incompatible duties. Then,
consider whether the segregation of duties within the information technology department and/or other
controls result in effective segregation of duties.
− The organization has procedures to ensure that only authorized individuals have the ability to enter the
transactions or adjustments.
• After a form has been completed for each significant application, review the form for instances where one
individual is listed in more than one column and considered performing incompatible duties. Determine if these
combinations represent a potential lack of segregation of duties.
Consideration: Potential incompatible duties would exist if one individual performs duties in more than one
category (authorization or approval, custody or recording/reporting) or if an individual is responsible for
performing a control over the same transaction that the individual is responsible for recording/reporting.
However, not all instances where an individual performs duties in more than one column represent a lack of
segregation of duties.
• Consider whether individuals are performing incompatible duties within the same column (e.g., control
procedure).
Consideration: There is the possibility of a lack of segregation of duties within the same category (e.g., the
individual who authorizes credit also approves the write-off of uncollectable accounts).
• Consider recommendations to streamline inefficiencies, such as duplicate duties that may be identified as the
segregation of duties is reviewed. Sometimes an aggregate review of systematic and manual processes
(analysis of cross-functional and interdepartmental lines of responsibility) uncover duplicate processing.

Note: Completion of this chart is intended to highlight potentially conflicting duties, not to be the only method of
identifying all such conflicting duties.

In general, the principal incompatible duties to be segregated are: authorization, custody of assets,
recording/reporting of transactions and execution. The basic idea underlying segregation of duties is that no one
employee or group of employees should be in a position both to perpetrate and conceal errors or irregularities in
the normal course of their duties.

Effective segregation of duties reduces the likelihood that errors (intentional or unintentional) will remain
undetected by providing for separate processing by different individuals at various stages of a transaction and for
independent reviews of the work performed.

2 Source: www.knowledgeleader.com
 Transaction Process/Execution Authorization Custody of Recording Control
Assets Procedure –
Over Execution

Issuance of purchase requisitions

Approval of purchase requisitions

Issuance of purchase orders

Approval of access to vendor master

Approval of purchase orders

Approval of access to purchase-related

Issuance of debit memos to vendors

Issuance and signing of receiving

Matching of invoices to purchase orders

Coding account distribution of vendor

Approval of voucher packages for

Preparation of checks

Signing of checks

Mailing of checks

Maintenance of the purchase’s journals

Maintenance of accounts payable

Reconciliation of the accounts payable

Once an individual is identified as performing incompatible duties, all duties performed by that individual should
be reviewed to determine the effectiveness of those duties or whether there is a risk of fraud due to the lack of
segregation of duties.

RESULTS

The requisition, ordering, receiving, paying and general accounting activities need to be appropriately segregated
if all control objectives are to be met. For example, those who perform the ordering (purchasing) activity, including

3 Source: www.knowledgeleader.com
those who maintain contact with outside suppliers and issue purchase orders, would not perform any receiving,
accounting or cash disbursement activities.

Have any potentially conflicting duties been identified? Yes  No 

If potentially conflicting duties have been identified, note them below and either:
• Indicate below their effects on our evaluation of the controls over the purchase application, our assessment of
the risk of fraud, and audit approach, or
• Indicate where in the working papers their effects are considered (e.g., in control analysis documentation or
other preliminary fraud control testing)

SUMMARY

• In general, should any immediate internal control or other concerns be addressed?

 Yes  No  Possibly If you checked “Yes” or “Possibly,” please describe:

____________________________________________________________________________________________

____________________________________________________________________________________________

____________________________________________________________________________________________

____________________________________________________________________________________________

____________________________________________________________________________________________

• From your perspective, how can internal audit be more effective, add value and provide service to you, your
staff and the organization? (Please be specific.)

____________________________________________________________________________________________

____________________________________________________________________________________________

____________________________________________________________________________________________

____________________________________________________________________________________________

____________________________________________________________________________________________

Thank you very much for your time, efforts and valued feedback.

Name Title Date

4 Source: www.knowledgeleader.com