Separation of Duties
Separation of duties, also seen as segregation of duties, ensures that a single person does not handle all crucial decisions and activities, especially those involving a high level of trust. The goal is to avoid the temptation to commit fraud or other illegal activities. Most people consider themselves reasonably honest and consider stealing wrong or immoral. However, life is messy, and concepts like right and wrong can get blurred when surrounded by the realities of life.
Consider the following scenario: A CFO at a mid-sized financial firm has worked hard to achieve his position. He is well-respected and known for finding diamond-in-the-rough investments that pay off well for his firm. His bonuses are tied to investment decisions that produce profits—if the firm does well, the CFO receives a lucrative bonus. His wife is a database administrator for a large consulting firm. They have three young children, a large home in a desirable neighborhood, and a significant amount of debt.
On Friday evening, the wife comes home from work obviously shaken. Due to an economic downturn, her company has just announced that it will lay off 50% of its consultants. She has been offered a small severance package in return for her voluntary resignation. Faced with their income being cut in half, the CFO starts looking for ways to increase his personal income to make up the difference.
As their financial situation becomes more strained, he begins to take bigger and bigger risks, hoping for a big payoff that will allow them to pay off their debts and get back on their feet until his wife finds another position. Three months after his wife loses her job, the foreclosure notice arrives. Unless they can pay off several months of overdue mortgage payments, they will lose their home.
The CFO knows that the market will eventually go back up and he will find the big payoff, but he can’t wait any longer. He issues himself a corporate check for $50,000—enough to bring his mortgage current, pay off overdue bills, and give his family a few months of breathing room. He will pay it all back, he promises himself, as soon as the market rebounds. As the CFO, he has the final authority to issue checks and knows that no one below him will question the expenditure.
The CFO did not set out to embezzle from the firm. He simply found himself in a desperate situation and did what he felt he had to do to in order to buy himself some time to solve the problems he faced. Desperation coupled with opportunity resulted in the theft.
Concept of Two-Person Control
Two-person control is designed to eliminate the opportunity for theft, fraud, or other harmful activity. In this concept, there must be two authorized individuals available to approve any sensitive activity. In the preceding scenario, a two-person control would have prevented the CFO from embezzling because he would have needed a second signatory, such as the CEO, on the check. Requiring two signatures would have removed the opportunity to embezzle.
Collusion
Two-person control is not foolproof. In the above scenario, the CFO may have been able to tell the CEO his story and convince him to co-sign the check as a personal favor. This situation is a form of collusion. However, broaching the subject would have been risky, as simply asking another officer of the company to help him embezzle could have been grounds for his own termination.
Monitoring and Oversight
Although two-person control can be an effective way to remove the opportunity for harmful or dangerous activity, it is only as effective as those who enforce it. If the financial firm required two signatories on all checks, but the CFO knew that the bank did not enforce this rule, the two-person control would have been ineffective.
Similarly, there should always be oversight of any significant activity requiring two-person control to prevent collusion. Whenever two individuals consistently share a significant responsibility, a bond can form between the two individuals. This friendship can become more important to the individuals than the shared task. In the scenario above, if the CEO and CFO were close friends, the CFO would have trusted that his friend would not take action against him and would be likely to help him take out a private loan from the company. In this case, a regular monthly review by the board of directors of all large expenditures would provide some oversight to the two-person control.
Auditing, both internally and by an external firm, is a common way to ensure that all transactions are legitimate and complete. A firm that uses internal auditing must have a team of employees who have the authority to investigate any potential misuse of resources. An internal audit is only useful if the auditors have the freedom to follow up on any information they find, and they are part of an organization that independently reports to the chief executive.
External audits must be performed by an objective outside organization. Unfortunately, when the auditing company is hired by the organization it is supposed to audit, the same weaknesses can surface. A good example of the failure of external auditing is the Enron collapse. Enron was able to hide important financial information from both stakeholders and banks. Their auditing firm, Arthur Andersen, did not discover the hidden information and lost their right to conduct audits. This eventually led to the demise of both Enron and Arthur Andersen in one of the greatest corporate scandals in history.